Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

XML-RPC Used to Amplify WordPress Brute Force Attacks

Attackers have been abusing an XML-RPC method to amplify their brute force attacks against WordPress websites, experts have warned.

Attackers have been abusing an XML-RPC method to amplify their brute force attacks against WordPress websites, experts have warned.

According to security firm Sucuri, malicious actors are leveraging the fact that the XML-RPC protocol, which is supported by WordPress and several other popular content management systems, allows users to execute multiple methods within a single request by using the “system.multicall” method.

It’s not uncommon for attackers to launch brute force attacks against WordPress websites in hopes that their administrators have set a weak password that can be easily guessed. However, making a large number of requests to the “wp-login.php” login page raises red flags and the attack is not difficult to block by security systems.

By abusing the “system.multicall” method, attackers can make hundreds and even thousands of attempts with just a handful of HTTP requests. In attacks spotted by Sucuri, the malicious actors have been using the “wp.getCategories” method within “system.multicall.”

“wp.getCategories” is the method of choice in these attacks because it requires a username and a password, which allows attackers to try out widely used credential combinations, such as the “admin” username with the password “demo123.” However, experts have pointed out that they could use numerous other XML-RPC methods that require a username and a password.

Sucuri has been monitoring such brute force attacks against WordPress sites since September 10, but the number of malicious requests has increased considerably in October. On October 7, Sucuri observed more than 60,000 requests, each containing hundreds or thousands of username/password combinations.

Daniel Cid, founder and CTO of Sucuri, has advised WordPress administrators to block “system.multicall” requests using their web application firewall (WAF) since the method is rarely used for legitimate purposes. Another option for mitigating such attacks is blocking all access to “xmlrpc.php,” but the expert noted that this can prevent some plugins, such as the popular Jetpack plugin, from working properly.

This is not the first time Sucuri has warned of WordPress brute force attacks in which malicious actors abuse XML-RPC. In July 2014, the security firm reported spotting up to 200,000 daily attempts to brute-force WordPress credentials using XML-RPC methods. However, at the time, each method was sent in a separate request, making it fairly easy to mitigate the attack.

Advertisement. Scroll to continue reading.

Over the past years, XML-RPC has also been abused to launch distributed denial-of-service (DDoS) attacks against WordPress websites.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.