WordPress XML-RPC Brute Force Attacks with multiple logins.
This entry was posted in Wordfence, WordPress Security on October 10, 2015 by Mark Maunder 74 Replies
We’ve had a few questions about whether Wordfence protects against a newer form of attack that seems to have received some press coverage recently. A hacker will make multiple login attempts with a single XML-RPC call.
Yes we do protect against brute force via XML-RPC and we have for some time now. We also protect against multiple attempts via a single XML-RPC call. We created a proof-of-concept attack this morning to verify this. We’re not going to share the script because we don’t want to educate the hackers targeting your sites.
To be clear, even if an attacker includes 1000 logins in a single request, we block after the first X attempts, where X is your brute-force limit setting. (This is user configurable) Sending multiple login attempts in a single XML-RPC request gives you no advantage as an attacker if the site is protected by Wordfence.
One of the benefits of using the world’s best plugin for WordPress security, is that we talk directly to the WordPress API, unlike other products that use request pattern matching to do their job. This means that we don’t just pattern match on attacks as they’re discovered. In addition we react based on application usage which we fully monitor.
For this reason, we did not need to modify Wordfence to provide protection against this attack. It simply protects you out of the box.
Update: @alex asks in the comments if this protection is included in the free version of Wordfence. Absolutely. Everything discussed above is also included in the free version of Wordfence.
Update 2: @bryan asks in the comments if the login security option in Wordfence needs to be abled for this to work. Yes it does. You can configure the number of failed logins on the Wordfence options page under “Login Security Options”. Again, make sure the “Enable Login Security” checkbox is checked at the top of your Wordfence options page if you want brute-force protection.