In case you haven’t heard, a newer form of a brute force attack has surfaced, targeting WordPress sites across the globe, in the past few weeks. This isn’t the first time a major uptick in this type of attack has occurred, and it won’t be the last. This attack involves a hacker making multiple login attempts to a WordPress site with a single XML-RPC call.
Brute force attacks are one of the most common types of attacks on the internet. If you have a website online right now, whether it is a WordPress site or another platform, it’s more likely than not being hit as you read this. The attempts could be being made with protocols like SSH or FTP, or it could be a web-based brute force attempt against a CMS you are using, such as WordPress, Joomla! or Drupal.
These aren’t highly sophisticated attacks and are generally pretty easy to stop in their tracks, but they are frequent, they still happen and are they can be successful if the website owner does not have adequate protections in place for their website.
Keep in mind, while these attacks are simple, they are very noisy. An attack may involve trying 700 different passwords and 700 different login attempts, each that would mean a 1 to 1 connection with your server. Because of this they are easy to catch, as you can block them automatically, after a certain limit is reached.
But, with an XML-RCP attack, the attacker is able to “limit” that noise. Instead of 700 different login attempts, they reduce that to 20 or 50 attempts, each using hundreds of passwords at a time. This can make identifying and stopping those attempts a bit harder, as they don’t stand out as blatantly as a standard attack.
Understand that XML-RPC can be used for good reasons on a website. It’s a simple and portable way to make procedure calls over HTTP and can be used with Perl, Java, Python, C, C++, PHP and other programming languages. Many content management systems like WordPress and Drupal support XML-RPC.
But, like with anything, while it can be used for good reasons, it can also be used for bad ones. Which is what we have seen cropping up on the internet over the past few weeks.
Securi, an online security company, first saw the attacks on September 10, and they have exponentially increased over the past few weeks, skyrocketing to over 60,0000 per day just a few days ago. They have posted an article about the recent cluster of such attacks on their website and the results are staggering. Even if you don’t read the entire article they have posted, scroll down to the chart at the bottom of the posting to get an idea of the scale these attacks have risen in the past several weeks.
Some website designers and website developers are recommending disabling XML-RPC on websites, but I am not, and will not be doing so on any of my sites or my clients sites. In my opinion, and the opinion of many other experts, the cost to website functionality is too high when you disable it.
If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress.
API, or “application program interface,” gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. So let’s say you have an app on your iPhone that lets you moderate comments on your websites. If you disable XML-RPC your iPhone app will suddenly stock communicating with your website because you disabled the API. You begin to lose much needed functionality by doing this.
Jetpack, a popular WordPress plugin, relies heavily on XML-RPC to provide its features. So, if you are relying on that plugin to drive certain aspects of your site, like many websites are, you will lose those as well.
I have actually been watching it on some of the client websites that I do monthly maintenance and support for and noticed a steady uptick in this type of attack to their sites over the past several weeks.
However, I am happy to report that my website maintenance and support clients have not had any successful hacks to their sites because of the level of security we build into their maintenance plans for them.
If you aren’t set up with one of our monthly maintenance and support packages for WordPress, which includes security protocols, now is the time to consider this investment in your company’s online future.
You don’t even have to be a current client of ours to sign up for it. We service many clients who built their own website, or had their website built for them by third parties.
Should your site get hacked, the cost to recreate and recover from it is likely going to be far greater than the cost of protecting it now.
Image Credit: pixelcreatures / Pixabay