Protect Your Site from WordPress Brute Force Attack via XML-RPC
WordPress is an open-source and widely used CMS platform to start a website of any kind. It may be a Fitness, eCommerce, Blogging, Online Store, Job Board, Forum etc. It is much flexible, easy to use, easy to customize and reliable platform. You can easily come up with almost 19 type of different sites with wordpress. But the one of the biggest issue with wordpress is “Security” which is also the most major con of wordpress. It needs robust security measures to make it vulnerability free.
If you are on wordpress, you need to take care of your site security seriously. You should apply all the necessary security measures to protect it from being hacked (in other words from hackers). Recently, Sucuri online site security services provider founded one of the dangerous wp vulnerability that called “Brute Force amplification attack via XML-RPC”.
In XML-RPC attack, hackers try hundreds of passwords in a single request to guess the password of WP based site. It’s really weird, isn’t it? This password finding approach help hackers to find the confidential data of wp site within a very short time if the site owner is not blocking multiple authentication attempts per XML-RPC request.
What is XML-RPC?
XML-RPC commonly used for communicating between external services and the site contents to modify or access it. If you are a WP user, I am sure you will know Jetpack plugin that uses this protocol to make it work fine. The other example of XML-RPC uses is pingbacks. You can completely disable this protocol but plugins and services like Jetpack will not work.
XML-RPC is a simple, portable way to make remote procedure calls over HTTP. It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages. WordPress, Drupal and most content management systems support XML-RPC.
If you interesteed to know more about it I would refer this link.
What is WordPress Brute Force amplification attack via XML-RPC?
I am not a wp security guy, so I will not go in-depth of this security issue. In simple words, trying hundreds or even thousands of passwords to guess the WordPress site passwords/login info in a single request is called “Brute Force amplification via XML-RPC“. It is like DDoS attack or something similar.
How to Protect XML-RPC from WordPress Brute Force Attack?
There are some magnificent security wordpress plugins available in the WP repository that can be used to fix this issue, and the good thing is they are free. I am using iThemes Security plugin formerly knows as Better WordPress Security to keep my site safe.
It is one of the most famous and handy tools among security plugins to protect wp sites. iThemes Security Plugin can easily handle every security aspect of your site. If you configured it properly then I am 100% sure no one can access your site or able to hack it, Yes believe me 🙂
Let’s protect your site from XML-RPC amplification attack.
The very first step you need to do is install iThemes Security plugin if you are already not using it I highly recommend to use it. Then Go to Security > Settings and then Wordpress Tweaks located at the end of the setting panel. Look for “Multiple Authentication Attempts per XML-RPC Request” option and simply choose Block(Recommended) option.
Now you have successfully fixed XML-RPC attack issue from your site and you are safe. The one more most important thing is you should always update your security plugin whenever updates available. Because updates always created for improving the performance of plugins/softwares. Further more, I would like to recommend is you must subscribe to some wordpress security providers blog newsletters.
Because usually they reveal these type of security issues and publish at their blogs first. So, if you have subscribed their newsletter, you will be get notified as soon as they publish. iThemes Security and Sucuri blogs are best to keep in touch with wordpress security issues.
I hope this post will help you protect your site from wordpress brute force attack through XML-RPC approach. Have you implemented this security measure on your wordpress site yet? If not, is there any reason for not applying this? I would like to hear your voice in the comments section.