WordPress XML-RPC Brute Force Attacks with multiple logins.

We’ve had a few questions about whether Wordfence protects against a newer form of attack that seems to have received some press coverage recently. A hacker will make multiple login attempts with a single XML-RPC call.

Yes we do protect against brute force via XML-RPC and we have for some time now. We also protect against multiple attempts via a single XML-RPC call. We created a proof-of-concept attack this morning to verify this. We’re not going to share the script because we don’t want to educate the hackers targeting your sites.

To be clear, even if an attacker includes 1000 logins in a single request, we block after the first X attempts, where X is your brute-force limit setting. (This is user configurable) Sending multiple login attempts in a single XML-RPC request gives you no advantage as an attacker if the site is protected by Wordfence.

One of the benefits of using the world’s best plugin for WordPress security, is that we talk directly to the WordPress API, unlike other products that use request pattern matching to do their job. This means that we don’t just pattern match on attacks as they’re discovered. In addition we react based on application usage which we fully monitor.

For this reason, we did not need to modify Wordfence to provide protection against this attack. It simply protects you out of the box.

Update: @alex asks in the comments if this protection is included in the free version of Wordfence. Absolutely. Everything discussed above is also included in the free version of Wordfence.

Update 2: @bryan asks in the comments if the login security option in Wordfence needs to be abled for this to work. Yes it does. You can configure the number of failed logins on the Wordfence options page under “Login Security Options”. Again, make sure the “Enable Login Security” checkbox is checked at the top of your Wordfence options page if you want brute-force protection.

 

Did you enjoy this post? Share it!

Comments

74 Comments
  • It never ceases to amaze me that, when I look at my Wordfence dashboard, exactly how many attempts to log into my blog I can see.

    No matter how insignificant you may regard your Wordpress Website or Blog, some kind of protection is essential.

    • I'm with you there. It's totally amazing how many attempts there are to get in and do their worst. Wordfence has done the job for me on several Wordpress blogs.

    • Yes Sean I am so shocked by this.. I have a dern sewing blog what do they possibly want with my site! But I am happy that I was savoy enough to install WordFence!

      • Hi Donna,

        Hacking a WordPress site and gaining access gives them a platform they can use for further attacks, to send spam email, to redirect links included in spam emails to malicious sites and much more. Unfortunately your site is very useful to hackers.

        Regards,

        Mark.

  • These attacks have been on the increase of late but thanks to Wordfence all 43 wp installations I manage remain safe.
    Thanks guys
    Dave

  • Great to hear that! I trust Word fence completely for my site security!

  • Thank you, Wordfence!

  • Unfortunately this still leaves the website open to DDOS (Distributed Denial of Service) attacks where the resources of the website are overwhelmed by continuous failed logins from multiple login attempts via the xmlrpc.php file. I have CAPTCHA and hidden password fields set and this has so far prevented attacks on my main wp-login.php

    It would be great if WordFence could come up with a strategy for WordPress users to perhaps offer temporary configurable blocks on any attempt to login using the XML-RPC method including preventing it completely in the case of users who may not direct access to the files via FTP. Of course if there is an even better solution so much the better.

    In terms of education it would also be useful to explain what the XML-RPC method of logging in is i.e. used to provide remote access to the database for other websites. On the sites that I manage this facility is not needed so I have simply renamed the file. I assume that I would still be able to use the function if needed and this then becomes unavailable as a route for the hackers who will not know the new filename. Alternatively you could just delete the file but I try and avoid messing around in this way as it's easy to forget changes you have made. The renamed file has a new name which makes it easy to understand that it has been edited for security and can be renamed if needed. It also acts as a prompt after updates to ensure any new versions of the file that are uploaded need to be renamed.

    • Hi,

      I'd point out that many other functions in WordPress consume CPU, memory and disk resources, like comment posting and even visiting a site. So if an attacker's goal is to DDoS a site, they can overwhelm your resources in many other ways.

      At Wordfence we prefer to avoid disabling functionality or hiding things (security through obscurity). Our approach is to monitor application usage and block when appropriate. Once blocked, we ensure that any repeated attempts will use a minimum of resources.

      Thanks very much for the rest of your feedback.

      Mark.

  • Re "The short version is that you are protected against brute force login via XML-RPC with Wordfence" - does that apply for the free version as well?

    If so I can uninstall my Disable XML RPC plugin :-)

    Thanks

    Alex

    • Yes, everything discussed above is included in the free version of Wordfence.

      Regards,

      Mark.

      • Does this require the login security feature to be enabled?

        • Yes it does and you can configure the number of failed logins on the Wordfence 'options' page under "Login Security Options".

          Regards,

          Mark.

  • Thank you, Wordfence!

  • thank you! launched my very first site two weeks ago, and experienced these attacks two days ago for 15 hours straight!!.. already had this plugin installed.. whew..

  • It's good to know that Wordfence lives up to it's reputation for excellent WP protection. Thanks much.

  • Hello,

    It is exciting to hear that wordfence protects against such attacks out of the box.

    Wordfence has been my best wordpress companion for about a year now and all this time it has protected my sites from various malicious login attempts, I am very greatful for that.

    I have a site about a plugin that I made, since I started selling an exctention of this plugin, wordfence started reporting blocked login attempts including: login with invalid usernames, reached maximum login attempts and trying to use the password recovery form several times.

    Everyday I get about 500 emails from the wordfence plugin saying that a user has been blocked from accessing my site due to the failed login attempts.

    I wonder what my websites would be without wordfence, I guess my main website could have been hacked many times by now.

    Many thanks to Wordfence (The bouncer standing on the front and back doors of my website, bouncing back all those without tickets to enter my site)

    The Wordfence team is doing a great job protecting our websites and keeping us updated about current security threats, even though we may not have the power or intelligence to protect ourselves against such threats, but it is good to know that somebody (Wordfence) already has our backs covered.

    Thank you once more.

  • Thanks so much Wordfence, especially for the email alerts! Was really surprised when I started getting a bunch of 'User locked out from signing in' email alerts on October 6 for my WordPress site since I deleted the wp-login file from the server (just upload it when need to update the site, which is rarely, and then delete it). But thanks to the alerts I switched CloudFlare into "I'm under attack mode" for further protection.

  • You guys really do rock. I am always surprised to see how many attempts you block every day. Keep up the great work on this product, we appreciate what you do.

    Thanks, Tom

  • This is the live boat for WordPress users. Thwarted about 5,000 brute force attempts and I mean they REALLY want in. 12 hours a day sometimes all week ...not with the FENCE! Love you guys.

  • I installed Wordfence about 6 months ago, and frankly have been amazed at how often people are trying to break in to the site. We're a small fry Yoga studio with no real information worth breaking. The Wordfence plug has been outstanding and it's good to know that you're really watching out for you're users. Cheers, Dave

  • Thanks for such a great product. I used the free version for a long time then stepped up to an outstanding premium version!. And, all I can say is so far so good. It's amazing how much effort hackers put into hacking a site, no matter how insignificant the site may appear to be. With Wordfence installed, it's all wasted effort. Thanks for all your hard work!

  • I've put admin.php and wp-login.php out of "Public_Html" folder,so the attacks have stopped within 2 days.It is not permanent solution but in my case it works.

  • Wordfence is a great plugin for wordpress security. Thank you Wordfence for your good work.

  • I´m using the wordfence free version and it did explicit NOT PROTECT against brute force login via XML-RPC. MySQL was flooded via XML-RPC on my WordPress Installation for a few days until disabling XML-RPC manually stopped this attacks.

    • Hi Ralph,

      We continually test this feature and retested it this morning. Please work with our support team to resolve this. It may be something specific to your site that we need to work on or around. You can get premium support at support.wordfence.com if you're a paid customer, or free support on our forums at https://wordpress.org/support/plugin/wordfence - Matt R is the guy who mans the free support most of the time and he does a really excellent job, so we'll resolve this no matter which route you choose.

      Regards,

      Mark.

    • Hi Ralph, the only way I have personally found to solve this, is to completely disable XML-RPC, I used the plugin "disable XML-RPC" by Philip Erb.

      https://wordpress.org/plugins/disable-xml-rpc/faq/

      Click on that testing website link and you will notice it FAILS even though WordFence is installed. Then after you activate the Disable XML-RPC plugin, and test again on that website, you will notice it then says "405 XML-RPC services are disabled on this site."... then you KNOW it has been fixed to stop these attacks.

  • Great plugin. (If I was using it for a commercial site I would upgrade to the premium version). The other side effect of the plugin is that while they are attacking us they are leaving someone else alone :-)

  • I also appreciate the protection and have had 2 sites with brute-force attacks so far. Since I don’t specifically seek subscribers and don’t need user logins, I create a new admin login URL for my sites-I have no idea how long these attacks continue and it’s very disconcerting to continue to get email notifications after 24 -48 hours and dozens of attacks in that time.

    I’m not sure how effective that strategy is over the long-term, but to keep my admin login off the radar, I would just as soon keep the login page private and the notifications quiet. I expect that other attack modes will, at some point, come into play, but I do appreciate the current coverage.

  • Thanks WordFence. I was getting attacked all day, every day, and you kept blocking and telling me about it. In my effort to stop the attacks, as they were the cause of excessive resource usage on my hosting, I used another plugin to change the admin and login url and the attacked stop immediately; I know because WordFence didn't tell me about anymore attacks. Perhaps this is a feature you guys can add.

    Thanks for being great WordFence and the developers and everyone else involved!

  • Having been in internet security, I knew to protect the site, BEFORE opening it to the world. The minute that you turn on switch, there are people waiting to jump you. I researched for security products and had Wordfence installed before going live. Wordfence has faithfully kept my site safe, with outstanding product support. The staff working behind this security fence are to be highly praised for the product that they stand behind, and the service that they give customers that use it. The effort that is put into keeping customers happy, and demonstrating that they and their product are at the top of their class is awesome. Having done penetration testing in the past, I know how folks like to 'knock on the door'. Wordfence keeps that door solidly shut.

  • I just wonder why people in Russia, China and other countries are trying to hack in my website.
    I write articles about our families and their histories. I do not sell and buy, and I have totally no business.
    That is why I reduced the hackers trying to access my site to block their IP after 5 attempts.
    Glad for the help from wordfence.

  • Superior plugin.....................I use it on all my sites,........You may think you have enough security on all your sites......., But guess what Sport,you don't. WORDFENCE gives you multiple layers of security with just one install...................They Are The Real Deal (><)

  • Hi. Im grateful for what you guys at wordfence do in order to keep us safe from all the nuisances out there who seem to have nothing better to do.

    Keep up with all the awsome stuff you do wordfence!

  • My hosting company turned me on to Wordfence, and now I use it on all my sites. It recently protected me from nearly 8000 login attempts over a 5 day period. Why don't these hackers give up after a while or even better - get a life?! Thank you for the great protection!!!

  • Unfortunately we do not all have the same luck with WordPress security issues. My site is down and broken. Because of an enormously unusual amount of login attempts and file change attempts my Host provider suggested to deactivate the Wordfence plugin as it seemed to be compromised from their end. As my site was left protected only by the only other plugin I had - iThemes now - there seemed to still exist some compatibility issues to be resolved by reset this other plugin before returning to any form of normal operation. Too late, my entire site has gone down and broken. No news from the WordPress support theme since I wrote them and no help from my Hosting provider because as they said... it's a WordPress issue. To make things worst, I am now receiving email offers to fix my site via HackedWPapp dot com site. Go figure and thanks for the memories !

    • Patrick, on reflection I'm going to edit my comment (again). Sorry, it's been a very long day and I've had to multi-task issues. I don't think I gave your comment the attention it deserves. Can you please post in our forums at https://wordpress.org/support/plugin/wordfence or in our premium support ticketing system at https://support.wordfence.com/ and one of our team will try to work with you - if you feel that's something that will help.

      • Patricks site has been hacked.

        • Thanks @adrian, I re-read the comment yet again and updated my reply. I'm not able to give it the attention it deserves here, so I'm hoping he will visit our forums or ticketing system where our team can help.

  • Thank you Wordfence for the update you do a good job to published this post to everyone. Wordfence is a great plugin for wordpress security.

  • La verdad que me alivia escuchar que me han esta protegiendo, porque ya no encontraba forma para evitar tanto ataque en solo día, hasta 100 ataque diario, pero quiero preguntar, con tanto bloqueo también yo e tenido problema para entra a mi pagina para editarla, dígame como hago, porque cuando bloquea a los hacker también lo hace conmigo y no me deja entrar tampoco y como es continuo no puedo entrar... Gracias por su apoyo

    • @AngelBello I encourage you to post in our forums and we may be able to get someone to help you in Spanish.

      Regards,

      Mark.

  • Finding this plug-in has been a blessing. I have several sites, two of which sustained a 10 day attack in late September. This has been happening off and on for about two years.
    Prior to finding Wordfence, I had spent too many wasted days fixing sites after they were successfully hacked. I remember one being almost impossible to get back into. But I haven't had a successful hack in a long time.

    I give credit to having found Wordfence. I especially appreciate their professional, courteous and concerned staff

  • Thanks for the assurance!

  • wordfence is the best. I use it in all my wp sites.
    most wp users are non technical and they have no idea about xml rpc
    thanks
    vinodh

  • There is a website to test of XML-RPC is disabled or not. I run Wordfence and it FAILED the test! Yet when I installed the Wordpress plugin called "Disable XML-RPC" by Philip Erb, then the test PASSED and XML-RPC was successfully disabled.

    http://xmlrpc.eritreo.it/

    Can someone at WordFence explain why the test FAILS even though Wordfence is installed? Try it yourselves at the website above.

    • Just because it's a test does not mean it's sensible. You are testing if XML-RPC is disabled. Unless you want to break features like mobile apps and remote publishing, you probably don't want to disable XML-RPC. It is an essential part of WordPress. What we do is simply make it secure. We don't disable it.

      Regards,

      Mark.

  • I had the same issue that Patrick had on several sites on different hosts. Not only battling constant brute force attacks (this has been going on for a month) but 3 sites were hacked. All of my plugins, including wordfence were compromised and I had to reinstall everything. I opened up one of the files that they replaced and did a web search. It is designed to hack Joomla sites also and a few other platforms.

    I found the exact same source code that was injected into my plugins online, available to anyone who wants it. I will not share it here but it hacks your user database. The tip off was some weird plugin that showed up in my plugin list called update[insert number here] another.

    They absolutely found a different way into my site. I love Wordfence. It's very helpful to me to know when a brute force attack is taking place, & to lock out people who try to log in at the very least. I have had to use a combination of security measures to protect my sites & Wordfence is an important component.

  • G'day guys, I thought I would ask the question (that upon first reading I did miss the "to be clear" paragraph), and/but to confirm that point:

    If an attacker uses multiple login attempts in a single XML-RPC call (let's say for argument sake it's 100), and they send 10 separate calls (1000 attempts), and users have brute force protection enabled after 5 invalid attempts, that means:

    a) after the 5th multiple call (500 attempts) the hacker is blocked
    b) after the 5th login attempt within the first XML-RPC call (and the remaining 95 of the first packet and four remaining total packets—995 in all—are all dropped/rejected)
    c) all 1000 attempts are not blocked

    Sorry, had to throw c) in because a two choice multiple choice question is too easy lol.

    I'm pretty sure I read it correctly that b) is the correct answer. I'd like to to confirm, thanks.

    • It's option b.

      • Cheers! Thanks very much :D

  • Besides Wordfence I'm using a WAF, which indicates that the XML-RPC file is the most targeted file on my website - around 1/2 of all malicious requests are directed to it.

  • Long story short.

    Last year I disabled Wordfence for 2-3 weeks on one production site (bad mistake! - do not ever do this) and switched to iThemes with proper config. I did this after reading a few articles that were promoting other security solutions. So, this website gets hacked and iThemes goes crazy. I couldn't even reactivate it due to memory issues. No chance to restore or clean the website. I had to rebuild it again.

    Imagine the extra work you need to do and how much time you need to fix a large website in a similar case. Not to consider visitors/customers impact. No need to say that I switched back to Wordfence as my security solution.

    Nowadays, Wordfence is the first security plugin that takes care of all my wp sites. I trust this team and their product entirely. And I am still using the free version.

    On some sites, I use combined security plugins (Wordfence, Sucuri and WP White Security Audit Log). If you also have a secure webserver, a safe theme, if you use proper plugins and run updates on daily basis, I would say that you can sleep well, your website is safe.

    By the way Mark, there has been a lot of discussion about using Wordfence with other security plugins. Can you guys confirm that Wordfence is not affected if Sucuri and WP White Security are also installed? I know they basicly do different stuff, but there are a few common security options for Wordfence and Sucuri, for example.

    I never had the chance to say this .Thank you for creating Wordfence and having a free version that offers this level of security for individuals and small to mid-level businesses. It's amazing what you are offering to the WP community out there.

    Adrian.

    • Hi Adrian,

      Sorry about the delayed reply. Thanks for the awesome feedback. I'll share this with the team. We track compatibility with other services closely and we're not aware of any issues with another external or plugin based service at this time.

      Regards,

      Mark.

  • I am the webmaster for several Wordpress sites. I'll say one thing for hackers; they are tireless. They just keep trying. But Wordfence keeps defeating them.

  • I forgot to say thanks!

  • Though Wordfence protects against brute-force XML-RPC login attacks, I believe it is still prudent to use a plugin such as Disable-XML-RPC to completely disable WordPress' XML-RPC functionality. For example, the XML-RPC pingback function has been used to generate Distributed Denial-of-Service (DDos) attacks against other sites.

  • Thanks for keeping us posted Mark!!

  • I have been using Wordfence on all of our sites with much success. But just this last weekend I got a successful login from user "backup" on two different sites (and of course the user didn't previously exist)...so apparently someone got in. I ran a scan and found nothing and deleted the user account. So be aware people, add "backup" to the list of automatically blocked usernames.

  • Thank you for the free version of the plugin. It really does help. We will upgrade to premium for several sites in fact.

  • I use this plugin free version for my company blog and experience great. If the free version are working like that then what is premium version.
    Every day i received many user locked out for undernourished users msg and i will thank to this.
    Great

  • I found this article on Twitter. Trying Wordfrence has been on my ToDoList for a year at least. But since I see that the risk becomes bigger & bigger, I can't postpone this again.

  • I noticed that there are a few comments saying that people's sites have been successfully hacked. I just thought it would be worth mentioning that your primary protection is a strong password that is not used anywhere else.

    It doesn't matter how good your security software is at preventing hacking and brute force attempts, if you don't have a strong password they will eventually get lucky.

    Thanks Wordfence for the great service.

  • Hi,

    I will like to report that since the publication of this article, all the furious XML-RPC attack attempts on my site have mysteriously vanished from my logs.
    Not a single one compare to a mind blowing amount i was used to; pheewww.

    Thanks guys for having us all covered unofficially and now officially.

  • Thank you so much for the update guys, WordFence really is the best security plugin for WordPress around. We're going to consider disabling XML-RPC for a few months while these hack attempts are going on.

  • Nooooo i just discovered this after being attacked on several of my customers blogs :( luckily for me i had a back up, but so much wasted time... Time to get my customers to buy a licence, that will cost them less than repairing the damage !

  • These attacks have been on the increase of late but thanks to Wordfence all 43 wp installations I manage remain safe.
    Thanks guys
    Aranud

  • After various disastrous attacks I find this plugin, and i try it in free version. Thank you Wordfence for the update, and I think, I 'll buy the solution.

    Chris

  • I gather from a couple of sources that protection from XML-RPC attacks causes problems with various Jetpack features.

    Is this correct?

    • This is what we have heard as well. I would post in the Jetpack forums at wordpress.org to confirm,.

      tim

  • i use a special trick to avoid xmlrpc access

    RedirectMatch 403 /xmlrpc.php

    It will redirect all the access to xmlrpc to 403 HTTP code

  • Had WordFence installed for months and it hasn't stopped a single xmlrpc attack.... I get hit by about 10 different IP's everyday and every time the site crashes I block the offending IP address through IP tables. I've not been able to find any plugins to prevent this. Makes me glad I no longer develop in wordpress and use laravel now but this is a site for a friend that I whipped together a few years ago for free

  • I solve the problem with a free wordpress plugin ( Authentication and xmlrpc log writer ) and enforcing on my server fail2ban. No more problems. It also preserves the server performace killing multiple authentications attemps on single xmlrpc call.