WordPress XML-RPC authentication brute force
Description
WordPress includes an XML-RPC interface accessible through the xmlrpc.php script, which allows remote procedure calls over HTTP using XML encoding. This interface exposes authentication methods such as wp.getUsersBlogs that can be exploited by attackers to perform automated brute force attacks against user credentials. Unlike standard login forms, XML-RPC endpoints often lack rate limiting and may not trigger account lockout mechanisms, making them particularly vulnerable to credential guessing attacks.
Remediation
Implement one or more of the following mitigation strategies:
1. Disable XML-RPC if not required: If your site does not use XML-RPC functionality (such as the WordPress mobile app, Jetpack, or remote publishing tools), disable it entirely using a security plugin like "Prevent XMLRPC" or by adding the following code to your theme's functions.php file:
add_filter('xmlrpc_enabled', '__return_false');2. Restrict XML-RPC access: Use .htaccess to block access to xmlrpc.php for all users except trusted IP addresses:
<Files xmlrpc.php> Order Deny,Allow Deny from all # Allow from trusted.ip.address </Files>
3. Implement rate limiting: Deploy a Web Application Firewall (WAF) such as ModSecurity or use a WordPress security plugin to monitor and rate-limit XML-RPC authentication attempts. Configure alerts for repeated authentication failures.
4. Enforce strong authentication: Require strong, unique passwords for all user accounts and consider implementing two-factor authentication to protect against credential compromise even if brute force attempts succeed.