WordPress XML-RPC Based Attacks

If you inspect the source code of WordPress, you will easily notice that there is a file in the root of the installation called xml-rpc.php. RPC stands for Remote Procedure Call, and it exposes an API that can be consumed by external agents, using XML to format data and HTTP to transfer it. It is the base of the more modern SOAP protocol.

You may be wondering how is this an attack vector. With use comes abuse. This protocol allows pingbacks and outside applications to communicate with our WordPress installations. The problem is that since version 3.5 it comes activated by default, and therefore it has been extensively abused. Two of the most common attacks that use this protocol are:

Denial Of Service

It is enough to make a POST request to the file with some random data in order to consume a fair amount of resources in the server. This can lead to a fairly easy DoS attack just by doing fast requests to a WordPress domain, as you know the entry point already. This kind of attack is easily detected, as the site becomes slower and unresponsive, to the point of crashing. Usually, the Apache process uses too many resources, and that can lead to the operating system just killing other types of processes, like the MySQL process. That is very common in this kind of situation and leads to the very typical “Error Establishing A Database Connection” situation. This database process crash can lead to a corruption of the database and a possible data loss, specially if it happens in the middle of a transaction or a write operation. Another reason to keep a good backup program.

Amplified Bruteforce Password Attack

Bruteforce attacks on passwords are fairly easy to detect. You usually need to do a lot of POST requests to URL where the login form submits the data. This are easy to mitigate, and many plugins do so already, but the nasty fact is that, through XML-RPC, you can make what is called a “system.multicall”. Basically, this allows the user to embed many commands in one single HTTP request. This is very dangerous because it allows to embed many user/password tries in one single request and hence can make it potentially very hard to detect, as almost nobody just goes trough the data of every request, neither logs them. Once of the commands that are inside the multicall goes through, the password is known to the attacker. Be aware that if somebody wants to get your passwords, they probably don’t want to take your system down, so they can just space the requests or fuzz them.

How to mitigate it?

There are several ways:

  • Through a plugin. The WordPress-made Jetpack set of plugins offers protection against this attack (among many other cool things, like statistics, at the price of sending the data to them).
  • Through Apache configuration. Just capture the IPs of the attackers and deny them access to the files or deny all requests to the xml-rpc.php file through the files directive. This can break some plugins that make fair use of the XML-RPC protocol.
  • Through the Firewall just block the attackers on the firewall on the Apache port by their IP, so they just can’t bother you anymore.

This attacks are really common, as they are easy to issue, so it is a good practice to study which solution is the best for you and immediately apply it to all the instalations you manage.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.