WordPress Brute Force Amplification Attacks Against XMLRPC

Brute Force attacks are one of the oldest and most common types of attacks that we still see on the Internet today. If you have a server online, it’s most likely being hit right now. It could be via protocols like SSH or FTP, and if it’s a web server, via web-based brute force attempts against whatever CMS you are using.

These attacks are often not very complex and are theoretically easy to stop and mitigate, but they still happen and are successful; mostly, because people are very bad at choosing good passwords, or employing good access control habits. There is a catch however, while simple, these Brute Force attacks are noisy. Traditionally, to try 500 different passwords, the attackers would need to attempt 500 different login attempts that would be captured in a 1 to 1 relationship with each request to the server. By design, this simplifies the mitigation approach, as every single attempt is logged and can be blocked once a certain limit is reached.

Brute Force Amplification

What if, the attacker could reduce the noise? What if the attacker could make it so that it’s a 1 to many relationship between each request? Imagine a request that was able to try 500 passwords in one shot.

Imagine a world where an attacker could amplify their Brute Force attacks in such a way that traditional mitigation strategies fall short. Instead of 500 different login attempts, the attackers could reduce their login attempts to say 20, or 50 and still try 500 or even thousands of passwords to each request. As you might imagine, this begins to make your mitigation strategy a bit harder to employ.

This would be kinda similar to the DDoS amplification attacks we hear about in the news, where a single command and control server can leverage things like a DNS or NTP protocol response amplification methods to increase their attack power by 50 or 100 times more.

Any type of amplification method can make the job of an attacker, much easier.

From: https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html?utm_source=Sucuri+WordPress+Plugin&utm_campaign=2cd305edc0-Customers_Security_advisory_Stored_XSS_Jetpack&utm_medium=email&utm_term=0_4ac850e5be-2cd305edc0-82419821

You can test your WordPress sites with this tool: http://xmlrpc.eritreo.it/

I have been using this plug-in: https://wordpress.org/plugins/disable-xml-rpc/ on sites where I know I can disable XML-RPC, at least in the short-term.