XML-RPC Used to Amplify WordPress Brute Force Attacks

Attackers have been abusing an XML-RPC method to amplify their brute force attacks against WordPress websites, experts have warned.

According to security firm Sucuri, malicious actors are leveraging the fact that the XML-RPC protocol, which is supported by WordPress and several other popular content management systems, allows users to execute multiple methods within a single request by using the “system.multicall” method.

It’s not uncommon for attackers to launch brute force attacks against WordPress websites in hopes that their administrators have set a weak password that can be easily guessed. However, making a large number of requests to the “wp-login.php” login page raises red flags and the attack is not difficult to block by security systems.

By abusing the “system.multicall” method, attackers can make hundreds and even thousands of attempts with just a handful of HTTP requests. In attacks spotted by Sucuri, the malicious actors have been using the “wp.getCategories” method within “system.multicall.”

“wp.getCategories” is the method of choice in these attacks because it requires a username and a password, which allows attackers to try out widely used credential combinations, such as the “admin” username with the password “demo123.” However, experts have pointed out that they could use numerous other XML-RPC methods that require a username and a password.

Sucuri has been monitoring such brute force attacks against WordPress sites since September 10, but the number of malicious requests has increased considerably in October. On October 7, Sucuri observed more than 60,000 requests, each containing hundreds or thousands of username/password combinations.

Daniel Cid, founder and CTO of Sucuri, has advised WordPress administrators to block “system.multicall” requests using their web application firewall (WAF) since the method is rarely used for legitimate purposes. Another option for mitigating such attacks is blocking all access to “xmlrpc.php,” but the expert noted that this can prevent some plugins, such as the popular Jetpack plugin, from working properly.

This is not the first time Sucuri has warned of WordPress brute force attacks in which malicious actors abuse XML-RPC. In July 2014, the security firm reported spotting up to 200,000 daily attempts to brute-force WordPress credentials using XML-RPC methods. However, at the time, each method was sent in a separate request, making it fairly easy to mitigate the attack.

Over the past years, XML-RPC has also been abused to launch distributed denial-of-service (DDoS) attacks against WordPress websites.