Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

XML-RPC Used to Amplify WordPress Brute Force Attacks

Attackers have been abusing an XML-RPC method to amplify their brute force attacks against WordPress websites, experts have warned.

Attackers have been abusing an XML-RPC method to amplify their brute force attacks against WordPress websites, experts have warned.

According to security firm Sucuri, malicious actors are leveraging the fact that the XML-RPC protocol, which is supported by WordPress and several other popular content management systems, allows users to execute multiple methods within a single request by using the “system.multicall” method.

It’s not uncommon for attackers to launch brute force attacks against WordPress websites in hopes that their administrators have set a weak password that can be easily guessed. However, making a large number of requests to the “wp-login.php” login page raises red flags and the attack is not difficult to block by security systems.

By abusing the “system.multicall” method, attackers can make hundreds and even thousands of attempts with just a handful of HTTP requests. In attacks spotted by Sucuri, the malicious actors have been using the “wp.getCategories” method within “system.multicall.”

“wp.getCategories” is the method of choice in these attacks because it requires a username and a password, which allows attackers to try out widely used credential combinations, such as the “admin” username with the password “demo123.” However, experts have pointed out that they could use numerous other XML-RPC methods that require a username and a password.

Sucuri has been monitoring such brute force attacks against WordPress sites since September 10, but the number of malicious requests has increased considerably in October. On October 7, Sucuri observed more than 60,000 requests, each containing hundreds or thousands of username/password combinations.

Daniel Cid, founder and CTO of Sucuri, has advised WordPress administrators to block “system.multicall” requests using their web application firewall (WAF) since the method is rarely used for legitimate purposes. Another option for mitigating such attacks is blocking all access to “xmlrpc.php,” but the expert noted that this can prevent some plugins, such as the popular Jetpack plugin, from working properly.

This is not the first time Sucuri has warned of WordPress brute force attacks in which malicious actors abuse XML-RPC. In July 2014, the security firm reported spotting up to 200,000 daily attempts to brute-force WordPress credentials using XML-RPC methods. However, at the time, each method was sent in a separate request, making it fairly easy to mitigate the attack.

Advertisement. Scroll to continue reading.

Over the past years, XML-RPC has also been abused to launch distributed denial-of-service (DDoS) attacks against WordPress websites.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...