[EN] WordPress, XML-RPC and Brute Force

Late September 2015 a new type of Brute Force attacks on WordPress sites began to appear. The attack is using XML-RPC as an attack vector. Although it seems to be a brute force password guessing attack, it has a side effect, it can turn into a (D)DoS attack. The attack can be easily mitigated though.

It is possible to let one POST request for XML-RPC carry hundreds of password guesses. So sending a lot of request for XML-RPC, results in lots of hundreds of password guesses. If the request are sent in a short, think seconds, timespan, this can lead to a huge server load, resulting in diminished performance, or even a total hangup of your server. (Depending on your hardware, of course). See this excellent post on how the brute force attack works.

The easiest way of mitigating the attack, is disabling XML-RPC altogether. Either by a plugin, or by the server configuration. Where the last method is preferred, since that will prevent any unnecessary PHP processing. However this approach can be too crude. It can break functionality of your site if plugins rely on the XML-RPC functionality. Notably Jetpack relies on XML-RPC.

So how do we go about this? Well depending on your version of Apache, yup I cover Apache not nginx or IIS but the technique should be similar, you use the appropriate acces controls. The code blocks are ideally placed in the Server Configuration, but if need be, you can pace them in the .htaccess in the DocumentRoot of your WordPress installation.

Lets start with apache 2.2

<Files "xmlrpc.php">
 Order Allow,Deny
 Deny from all
</Files>

This will disable XML-RPC altogether. To allow access to XML-RPC, for instance for Jetpack, do this:

<Files "xmlrpc.php">
 Order Allow,Deny
 Allow from example.com
 Allow from 192.168.1 10.8.9.1 10.8.9.4
 Deny from all
</Files>

This will allow access from the host example.com, the hosts in the 192.168.1 network, and the hosts on 10.8.9.1 and 10.8.9.4.
Since, in their infinite wisdom, the Apache Foundation has changed access control in version 2.4 of the httpd software. For apache 2.4 the rules translate to this

<Files "xmlrpc.php">
 Require all denied
</File>

And

<Files "xmlrpc.php">
 Require host example.com
 Require ip 192.168.1 10.8.9.1 10.8.9.4
</Files>

Respectively.

To find the information on which hosts and ip addresses you can allow acces to “xmlrpc.php”, you need to investigate your server logs. Search for “xmlrpc”, and determine via investigation, if the associated ip addresses make legitimate requests.

Be aware that the above technique doesn’t make your site safe for (D)DoS attacks, but it will protect you against brute force attacks via the XML-RPC route.

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Verplichte velden zijn gemarkeerd met *