At Wordfence we constantly analyze attack patterns to improve the protection our firewall and malware scan provides. We recently took a closer look at brute force attack targets, specifically XMLRPC and wp-login, to gain a deeper understanding of how attackers behave.
In WordPress, there are several ways to authenticate, or sign in to, your website. The two most common ways to authenticate are using the standard login page located at wp-login.php, and by using XMLRPC.
The XMLRPC method is usually used by applications like mobile apps to authenticate before you are able to perform privileged actions on the site.
We analyzed attack data over a 2 week period from January 16th until Janary 29th to determine which target attackers prefer to attack. Here are the results of our analysis.
Which Target Receives More Attacks?
During a two week period we saw almost exactly the same number of attacks on XMLRPC as wp-login. We saw a total of 106 million attacks on wp-login compared to 108 million attacks on XMLRPC.
This result surprised me because I assumed that attackers targeting XMLRPC would be more sophisticated or perhaps creative. But on reflection it takes about the same amount of effort to write an attack script or bot that brute force attacks either target. So this makes sense.
How Many Attackers Hit Both XMLRPC and WP-Login?
The above graph shows the number of unique IP addresses per attack target. Note that this is not the number of attacks, but number of attackers counted as unique IP addresses we saw attacking.
While XMLRPC saw slightly more attacks, wp-login saw slightly more unique attackers, as you can see from the above column chart.
We saw 11,453 attackers only targeting XMLRPC. We saw 38,771 attackers only targeting wp-login. And we saw a whopping 224,461 unique IP addresses targeting both XMLRPC and wp-login.
Clearly most brute force attacks target both XMLRPC and wp-login.
Do Attackers in Different Countries Prefer XMLRPC or WP-Login?
We analyzed attacks from the top attacking countries and saw an interesting trend. As you can see above, most of the attacks come from Russia and the USA is the second most prolific attacker.
What is interesting here is that the attacks originating in Russia have a strong preference for wp-login as a target. And attacks originating in the USA have the opposite preference. They seem to mostly target XMLRPC instead.
Digging Deeper into Brute Force Attacks originating in the USA
As you can see the majority of the total number of attacks originating in the USA come from Amazon.com which provides cloud computing services to developers. We saw a total of over 144 million attacks over two weeks originate from Amazon.
Most of these attacks were targeted at XMLRPC. What is surprising though is that they came from only 36 unique IP addresses hosted at Amazon. All but 3 of these IP addresses appear to be EC2 instances based on their reverse hostnames.
So what is happening here? I’m going to suggest two theories:
One possibility is that 36 servers at Amazon EC2 have been compromised and they have been used to launch a very rapid and wide-spread brute force attack during the past 2 weeks. That attack generated over 144 million failed login attempts across the sites we monitor.
An alternative theory is that a developer may be using EC2 to host an application that is trying to sign into WordPress websites using XMLRPC. The application may not handle bad user credentials correctly and may just keep retrying.
It may be a combination of both bad applications hosted at EC2 and compromised servers engaging in a large scale brute force attack.
The data in this post brings up the old debate about whether or not it’s a good idea to hide your login page. Unless you hide every login method on your site, attackers will still be able to brute force your website.
If you disable or move XMLRPC, you risk breaking various applications, including mobile applications, that rely on XMLRPC to do their job.
If you hide or move your login page, you are going to inconvenience or confuse your users, and XMLRPC is still an attack vector.
Other authentication methods will soon become available in WordPress via, for example, the WP REST API. These will also be exploited by attackers.
So the action we recommend is that you use a security product like Wordfence to intelligently block brute force attacks, no matter what they target. Wordfence counts brute force attacks across all authentication methods and blocks attackers if they violate security policy.
Wordfence can also help you enforce strong passwords and audit your passwords for strength.
We also track attacks across all the sites we protect and take earlier blocking action against known bad IP addresses that have attacked other websites.
As always I welcome your comments below and I’ll be around to join the discussion.
Mark Maunder – Wordfence Founder/CEO
Special thanks to Dan Moen who produced much of the data used in this post and to assistance from our team in analyzing the data.