How to protect WordPress from Brute Force Amplification Attacks • WordPress Help

For some time the WordPress file xmlrpc.php is the target of a very specific type of attack, previously known as XML-RPC pingback vulnerability and currently known as Brute Force Amplification Attack or Brute force amplification attack .

In this post I will explain everything what you need to know to protect your WordPress site from this exploit malicious, as well as other similar threats.

What is XML-RPC?

Before we get down to work protecting the file xmlrpc.php it is important to know what it does, why it is in all WordPress installations, and a fairly accurate explanation is the following:

[XML-RPC es] a specification and series of implementations that allow the software of various systems Opera tivos run in different environments to make process calls on the Internet. It is a remote procedure that makes calls using HTTP as transport and XML as an encoder. XML-RPC is designed to be as simple as possible, while allowing complete data structures to be transmitted, processed and returned.

Simply put, basically XML-RPC allows Internet platforms to interact with each other, specifically, the WordPress file xmlrpc.php allows various external applications connect, transmit and proc esen datos

Do I need XML-RPC?

Since questions I'll tell you that NO, you do not really need the file xmlrpc.php . Now, there are several plugins that use the WordPress XML-RPC functionality to perform remote operations, so, when in doubt, ask the developer of each plugin if you need to use it.

For example, Jetpack uses XML- RPC to connect several of its components with WordPress.com, and the same application WordPress for iPhone or Android will not connect to your sites if you do not have active XML-RPC .

But unless use Jetpack or some other very specific plugin, most WordPress sites do not need the file xmlrpc.php at all.

Consequently, if you do not need the file it is perfectly feasible that erase, block or disable especially to avoid the multitude of attacks that use this file.

Protection with plugins

If you are looking for a quick solution in the official plugins directory, there are several that offer you desa ctivar XML-RPC choose the one that most deserves you, or try several until you find the one that fits your needs.

Protection through .htaccess

If you have lost your fear of the .htaccess file there are several ways to block the file xmlrpc.php . Here are a few:

Block xmlrpc.php using RedirectMatch

The best thing about this technique is that no matter where you have WordPress installed, the file xmlrpc.php will be protected regardless of its location in the directory structure (eg, /wp/xmlrpc.php /wordpress/xmlrpc.php /whatever/xmlrpc.php etc.). It is also case-sensitive, so you'll be protected against any "all-uppercase" attack variation ( all-cap ).

Block xmlrpc.php using Order / Deny

Any of these codes work perfectly to protect the file xmlrpc.php blocking any attempt to access it, but this method is especially cool before attacks against XML-RPC. It is simple, comprehensive, reliable and maintenance free.

There are other ways to protect yourself through .htaccess, and I invite you to try them, here you have them .

Protection using wp-config.php

] You can also protect yourself from XML-RPC attacks by disabling the protocol from file wp-config.php adding the following line after require_once (ABSPATH. 'Wp-settings.php') ; :

Protection using a custom function

If you are not installing plugins, or touching system files like .htaccess or wp-config.php you can also protect yourself from brute force amplification attacks by disabling functionality system.multicall of file xmlrpc.php . using a function that you can add to your functionalities plugin or to the file functions.php :

Mind you, this method has pros and cons :

  • Pro – you do not need to install another plugin
  • Pro – you do not need to modify .htaccess or wp-config.php
  • Contra – only valid for the active topic if you put it in the file fun ctions.php
  • Contra – only valid for this type of specific threat

I think you do not need to explain the pros, and on the cons, keep in mind that this only protects you from attacks on system.multicall and not to other variables, and that if you add it to the file functions.php and change the subject you will be exposed.

In short

Above all you should be aware that the WordPress file xmlrpc.php is an important focus of attacks, and while there is no definitive solution for WordPress not to use this method of connection between applications (using the WP REST API , for example) is better to block, control or eliminate it, since it is one of the main targets of brute force attacks, pingbacks and amplification attacks, among others.


More information:

Loading … [19659117] It may also help you: [19659118]

Attack DDOS to WordPress through XML-RPC • WordPress Help

 attack ddos ​​wordpress

If you have active XML-RPC in WordPress you are likely to move to the list of more than 162,000 sites that have already been attacked by a distributed denial of service attack or DDOS .

According to Sucuri informs any WordPress with active XML-PRC, most because it is active by default, it can become one more zombie that will be used for the DDOS attack originally used to pull down a very popular site.

Within a few hours have been used to this attack DDOS over 162 thousand WordPress totally clean and safe using its XML-RPC protocol to continue the attack.

Everything starts up with a simple pingback request to an innocent site in form of a single command in Linux : [19659007] $ curl -D – "www.cualquiersitiowordpress.com/xmlrpc.php" -d ' pingback.ping http://VICTIMA.com www.cualquiersitiowordpress.com/postchosen '

$ curl D "www.cualquiersitiowordpress.com/xmlrpc.php" d [19659018] ' pingback.ping http://VICTIMA.com www.cualquiersitiowordpress.com/postchosen '

Not to be used in this DDOS attack alone you have to disable XML-RPC . I already warned in his day that having active default XML-RPC was a security risk and now it is confirmed in the worst possible way.

Anyway, if you want to deactivate it you can do it 3 ways :

  1. Rename the file xmlrpc.php that you'll find in the root folder of the WordPress installation, and remember to do it again after each new update because it will put it back in.
  2. ] In file wp-config.php after require_once (ABSPATH. 'Wp-settings.php'); add the following line:
  3. Add the following code to the file functions.php of the active topic:

That yes, disable XML-RPC is not something banal, it is the protocol used for pingbacks, trackbacks, publishing from mobile applications, desktop and much more.

Finally, and it's not a security measure but just a check, you can check if right now your site is being used for a DDOS attack in this tool

NOTICE : This publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you: