WordPress brute force amplification attack warning

Daniel Cid, CTO of Sucuri, has warned WordPress users about brute force password attacks using Brute Force Amplification against WordPress websites.

Brute force attacks are nothing new, and have become easy to guard against. However, with Brute Force Amplification the risk is higher.

“What if the attacker could try 500 passwords in one shot?” asked Cid, adding that Brute Force Amplification attacks are similar to DDoS amplification attacks.

This is exactly what is happening with many WordPress sites, where attackers use WordPress’s XML-RPC.

Below is an illustration of the attacks Sucuri has seen targeting the XML-RPC system.multicall method, and are attributed to these brute force attempts.

“Remember, each request can signify an attack of hundreds, if not thousands of username/password brute force attempts,” said Cid.

Sucuri BruteForce Amplification-Attacks WordPress XML-RPC 2015

Protecting against brute force password attacks

Cid said he used to recommend blocking access to xmlrpc.php, but that broke some plugins’ functionality (mostly JetPack).

“With that in mind, if you are not using JetPack or any of the other plugins that require XML-RPC, it might be a good idea to block direct access to it.”

He said if you can’t block XML-RPC, he recommends blocking system.multicall requests, as this will help protect against these amplification methods.

More security news

Hacker Batman may be out there, watching over your ADSL router

ANC-linked businessmen bought super cellphone spying device

Beware of these ATM Insert Skimmers which steal your bank card information

Don't miss the latest news

• Add MyBroadband as a preferred source in Google Search
• Follow MyBroadband on Google News