If you’ve noticed an influx of brute force attacks on your site, you’re not the only one. Sucuri is reporting that brute force amplification attacks are targeting WordPress sites with XML-RPC enabled. In a nutshell, XML-RPC contains a system.multicall method which allows developers to execute multiple methods and commands inside a single request.
What is a Brute Force Amplification Attack?
In a typical brute force attack, several machines or bots try to guess the username and password for a site one at a time. In a brute force amplification attack, attackers can guess hundreds or thousands of combinations within a single request making the attack more efficient and difficult to block.
The XML-RPC protocol in WordPress is a communications bridge between remote applications such as the WordPress mobile apps and the site itself. It’s also used to communicate and authenticate to Jetpack.
Jetpack Protect Does Its Job
Jetpack comes with a module called Jetpack Protect formerly known as BruteProtect, that protects sites from brute force attacks. Sam Hotchkiss, lead developer of Jetpack Protect, confirms in a blog post that Jetpack Protect blocks brute force amplification attacks out-of-the box.
In our testing, we confirmed that Jetpack Protect (and BruteProtect) do block this attack vector. If you’re running Jetpack with Protect enabled or you’re running BruteProtect, you don’t need to do anything to keep yourself safe from this attack technique.
If you use Jetpack Protect, you don’t need to do anything to block this attack vector. For everyone else, Sucuri recommends that administrators block system.multicall requests as they’re not used much in the wild. There’s also a handful of security plugins such as iThemes Security or WordPress Simple Firewall that block system.multicalls and can disable XML-RPC.
You can also disable XML-RPC altogether by adding this to your functions file: