Attackers have been abusing an XML-RPC method to amplify their brute force attacks against WordPress websites, experts have warned.
According to security firm Sucuri, malicious actors are leveraging the fact that the XML-RPC protocol, which is supported by WordPress and several other popular content management systems, allows users to execute multiple methods within a single request by using the “system.multicall” method.
It’s not uncommon for attackers to launch brute force attacks against WordPress websites in hopes that their administrators have set a weak password that can be easily guessed. However, making a large number of requests to the “wp-login.php” login page raises red flags and the attack is not difficult to block by security systems.
By abusing the “system.multicall” method, attackers can make hundreds and even thousands of attempts with just a handful of HTTP requests. In attacks spotted by Sucuri, the malicious actors have been using the “wp.getCategories” method within “system.multicall.”
“wp.getCategories” is the method of choice in these attacks because it requires a username and a password, which allows attackers to try out widely used credential combinations, such as the “admin” username with the password “demo123.” However, experts have pointed out that they could use numerous other XML-RPC methods that require a username and a password.
Sucuri has been monitoring such brute force attacks against WordPress sites since September 10, but the number of malicious requests has increased considerably in October. On October 7, Sucuri observed more than 60,000 requests, each containing hundreds or thousands of username/password combinations.
Daniel Cid, founder and CTO of Sucuri, has advised WordPress administrators to block “system.multicall” requests using their web application firewall (WAF) since the method is rarely used for legitimate purposes. Another option for mitigating such attacks is blocking all access to “xmlrpc.php,” but the expert noted that this can prevent some plugins, such as the popular Jetpack plugin, from working properly.
This is not the first time Sucuri has warned of WordPress brute force attacks in which malicious actors abuse XML-RPC. In July 2014, the security firm reported spotting up to 200,000 daily attempts to brute-force WordPress credentials using XML-RPC methods. However, at the time, each method was sent in a separate request, making it fairly easy to mitigate the attack.
Over the past years, XML-RPC has also been abused to launch distributed denial-of-service (DDoS) attacks against WordPress websites.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
