11 Comments

  1. Greg Reindel

    You can also disable XML-RPC altogether by adding this to your functions file:

    add_filter(‘xmlrpc_enabled’,’__return_false’);

    Report

  2. Graham Nichols

    I used the plug-in ‘Disable XML-RPC’ rather than edit any code.

    Though I was surprised to receive an email from Wordfence Security saying that they are not disable XML-RPC on their own sites due to the loss of API calls.

    It all comes down to how you use your own WordPress installation I guess. But I’d rather be safe than sorry.

    Report

  3. Bill Beauchamp

    I got hit day before yesterday. Started Saturday afternoon. I started getting email from “Limit Login Attempts”. I increased the lockout time. Made no difference and as a matter of fact it was sort of like kicking a yellow jacket nest. I’d uninstalled Jetpack as I am in the middle of a divorce and it was just too much minutia for me right now. By night before last there were 260 + attempted failed logins and I’d locked the IPs out for 8 hours each but they started coming with new hits about every 4 minutes. Not knowing that Jetpack for WordPress could protect against this or what a Brute Force Login Attack was… I went looking for security and installed All in One Security and Firewall plugin (free). I am not here to promote this software… just saw the topic. I contacted my Web Host and I was up to date with all I needed to do. He made a really simple suggestion of adding CAPCHA to the login. It was an elegant solution in it’s simplicity. Made that change and it got very quiet. Sweet. The web host did say that there is a concentrated effort on now by hackers singling out WordPress blogs. Today in the wee hours I had two failed attempts – no more. I have no ill will toward anyone but 99% of this activity was coming from the Russian Federation with the IPs pretty much in sequence. With the site locked down – all of the locked out IPs are now re-enabled and the swarm has flown elsewhere. Good luck!!! And from what I’m reading… I will reinstall Jetpack…

    Report

  4. Muhammad Imran

    Hi, I want to know after disabling XML-RPC functionality in wordpress, Will Jetpack plugin work smoothly??

    Report

  5. Paul G.

    Heya!

    Thankfully JetProtect isn’t the only plugin that protects against this threat of the box. The Simple Security Firewall ( https://wordpress.org/plugins/wp-simple-firewall/ ) has had the option to apply login protection to XML-RPC for a couple of years.

    We also recently added the option to fully disable XML-RPC if you want.

    Lots of options out there for protecting your XML-RPC!
    Cheers!

    Report

  6. Jeffrey

    Brute Force attack is very common and it makes me wonder why there is no built-in protection in the core?

    Report

  7. mark k.

    This attack is actually not hard to detect and defend against, just limit each XML-RPC request to one login attempt. Here is a wordpress plugin for that – http://shop.marksw.com/downloads/xml-rpc-brute-force-amplification-attack-cure-plugin/

    Report

  8. Victor

    Thanks for this post Jeff. I’ve been having an increased number of spam registration on my site and at the same time I’ve been using both Wordfence Plugin and Jetpack protect on the site. As it is i think to be on the safe side, i will have to deactivate one of them and perhaps try the Sabre plugin to combat the spam registration. What do you think?

    Report

Comments are closed.

%d bloggers like this: