Jetpack Protect Blocks Brute Force Amplification Attacks

If you’ve noticed an influx of brute force attacks on your site, you’re not the only one. Sucuri is reporting that brute force amplification attacks are targeting WordPress sites with XML-RPC enabled. In a nutshell, XML-RPC contains a system.multicall method which allows developers to execute multiple methods and commands inside a single request.

What is a Brute Force Amplification Attack?

In a typical brute force attack, several machines or bots try to guess the username and password for a site one  at a time. In a brute force amplification attack, attackers can guess hundreds or thousands of combinations within a single request making the attack more efficient and difficult to block.

The XML-RPC protocol in WordPress is a communications bridge between remote applications such as the WordPress mobile apps and the site itself. It’s also used to communicate and authenticate to Jetpack.

Jetpack Protect Does Its Job

Jetpack comes with a module called Jetpack Protect formerly known as BruteProtect, that protects sites from brute force attacks. Sam Hotchkiss, lead developer of Jetpack Protect, confirms in a blog post that Jetpack Protect blocks brute force amplification attacks out-of-the box.

In our testing, we confirmed that Jetpack Protect (and BruteProtect) do block this attack vector.  If you’re running Jetpack with Protect enabled or you’re running BruteProtect, you don’t need to do anything to keep yourself safe from this attack technique.

If you use Jetpack Protect, you don’t need to do anything to block this attack vector. For everyone else, Sucuri recommends that administrators block system.multicall requests as they’re not used much in the wild. There’s also a handful of security plugins such as iThemes Security or WordPress Simple Firewall that block system.multicalls and can disable XML-RPC.

11 Comments


  1. You can also disable XML-RPC altogether by adding this to your functions file:

    add_filter(‘xmlrpc_enabled’,’__return_false’);

    Report


    1. remove_filter( ‘xmlrpc_enabled’, ‘filter_xmlrpc_enabled’, 10, 1 );

      Report


  2. I used the plug-in ‘Disable XML-RPC’ rather than edit any code.

    Though I was surprised to receive an email from Wordfence Security saying that they are not disable XML-RPC on their own sites due to the loss of API calls.

    It all comes down to how you use your own WordPress installation I guess. But I’d rather be safe than sorry.

    Report


  3. I got hit day before yesterday. Started Saturday afternoon. I started getting email from “Limit Login Attempts”. I increased the lockout time. Made no difference and as a matter of fact it was sort of like kicking a yellow jacket nest. I’d uninstalled Jetpack as I am in the middle of a divorce and it was just too much minutia for me right now. By night before last there were 260 + attempted failed logins and I’d locked the IPs out for 8 hours each but they started coming with new hits about every 4 minutes. Not knowing that Jetpack for WordPress could protect against this or what a Brute Force Login Attack was… I went looking for security and installed All in One Security and Firewall plugin (free). I am not here to promote this software… just saw the topic. I contacted my Web Host and I was up to date with all I needed to do. He made a really simple suggestion of adding CAPCHA to the login. It was an elegant solution in it’s simplicity. Made that change and it got very quiet. Sweet. The web host did say that there is a concentrated effort on now by hackers singling out WordPress blogs. Today in the wee hours I had two failed attempts – no more. I have no ill will toward anyone but 99% of this activity was coming from the Russian Federation with the IPs pretty much in sequence. With the site locked down – all of the locked out IPs are now re-enabled and the swarm has flown elsewhere. Good luck!!! And from what I’m reading… I will reinstall Jetpack…

    Report


  4. Hi, I want to know after disabling XML-RPC functionality in wordpress, Will Jetpack plugin work smoothly??

    Report


    1. If I remember right, I couldn’t Connect with XML-RPC disabled but after connecting, the modules I used seemed to work fine with it disabled.

      Report


  5. Heya!

    Thankfully JetProtect isn’t the only plugin that protects against this threat of the box. The Simple Security Firewall ( https://wordpress.org/plugins/wp-simple-firewall/ ) has had the option to apply login protection to XML-RPC for a couple of years.

    We also recently added the option to fully disable XML-RPC if you want.

    Lots of options out there for protecting your XML-RPC!
    Cheers!

    Report


  6. Brute Force attack is very common and it makes me wonder why there is no built-in protection in the core?

    Report


  7. Thanks for this post Jeff. I’ve been having an increased number of spam registration on my site and at the same time I’ve been using both Wordfence Plugin and Jetpack protect on the site. As it is i think to be on the safe side, i will have to deactivate one of them and perhaps try the Sabre plugin to combat the spam registration. What do you think?

    Report

Comments are closed.