WordPress Brute Force Amplification Attacks

WordPress has always been one of the most targeted software online for hackers and recently Sucuri has reported a new kind of attack which we should really have a look at.  This knew attack is called Brute Force Amplification Attack.

What is “Brute Force Amplification Attack“?  Basically this attack is used to brute force your WordPress password.  A lot of WordPress security plugins already block brute force attacks, however, this attack does it in a way it brute forces 100s of login attempts in one request.

How are they doing it?  XML-PRC is a protocol used by WordPress to allow applications to manage it remotely.  One of the available method is system.multicall and this method is designed to allow an application to make multiple commands with just one request.  Hackers can use this method to guess hundreds of passwords with just one HTTP request.  The problem with this is that now your security plugin will detect this as one failed auth attempt, meanwhile the attacker has tested hundreds of passwords.  Most security plugin will limit the number of fail login attempts within a time period.  The attacker now can spread the login attempt over a longer time interval and still able to guess a large number of passwords.  Another problem with this attack is it is not easily detectable.  If you look at the Apache log file, it may show something like:

“POST /xmlrpc.php HTTP/1.1″ 200 14204 “-” “Mozilla/5.0 …

This is actually very common and if you are not looking for it you probably won’t know this is a brute force attempt.  Wordfence used to have a way to disable XML-RPC, but they removed it as it broke some applications.

So how can you protect your website from this attack?  If you do not use XML-RPC, the quickest way will be to just delete the xmlrpc.php file.  If you use the popular plugin “Jetpack”, there is a module call BruteProtect which will protect you from brute force amplification attacks.  You can also add the following line to your functions.php:

add_filter( 'xmlrpc_enabled', '__return_false', 1000 );