Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) 80

An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."
This discussion has been archived. No new comments can be posted.

Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC

Comments Filter:
  • $ mv /var/www/wp/xmlrpc.php /var/www/wp/xmlrpc.php/OFF.xmlrpc.php
    Least effort, maximum result.
    • awww i fucked the motherfucking copy-paste fuck. I am a lazy idiot.
  • by sstern ( 56589 ) on Sunday October 11, 2015 @11:50AM (#50704031) Homepage Journal

    Per a blog post from WordFence ( https://www.wordfence.com/blog... [wordfence.com] ), multiple logins via XMLRPC are seen individually, so any program that limits login attempts will work as usual.

  • by kervin ( 64171 ) on Sunday October 11, 2015 @11:52AM (#50704041) Homepage

    Starting with Wordpress 3.5 XML-RPC was turned on by default, and the ability to turn off XML-RPC was removed. They didn't even leave the ability to filter the remote calls by IP address. E.g. allow localhost by default, have a button that 'allows current IP' or something like that.

    I think this was one of the most brain-dead security decisions in a major piece of software in recent memory. And this decision simply has to be reversed to fix this.

    • Starting with Wordpress 3.5 XML-RPC was turned on by default, and the ability to turn off XML-RPC was removed.

      I know, that was simply fucking brilliant of them. I saw that and nearly fell out of my chair, it was an instant "WTF???"

      Dev 1: "Hey, let's create a potential exploit hole and let's make sure that it can't be disabled!"
      Dev 2: "Magnificent! Give that man a raise!"

      • by fnj ( 64210 )

        It almost makes you wonder if Wordpress is actually a secret attempt to knock over web servers.

        • It almost makes you wonder if Wordpress is actually a secret attempt to knock over web servers.

          Judging by the stats, it leads in that category.

          I'm convinced that there is no easier way to allow a server to be nailed than to install WP with no hardening plugins, Hell, half the themes out there for it contain obfuscated code and built-in spam links.

    • by Anonymous Coward

      while enabling xmlrpc was the most brain dead decision they made, allowing 1000s of simultaneous login attempts at a single go is probably their absolute stupidest coding mistake ever... and they've had some really, really fucked up bugs in their history.

      they don't need to disable or remove the feature itself, just i dunno, learn how to fucking program, maybe.. and test the product before handing it over to a million+ equally stupid and ignorant web site owners.

      if wordpress users weren't so fucking stupid (

    • by trawg ( 308495 )

      You can turn off XML-RPC by setting this filter in (for example) wp-config.php:

      add_filter('xmlrpc_enabled', '__return_false');

    • by e r ( 2847683 )

      And this decision simply has to be reversed to fix this.

      I think the decision that needs to be reversed is the decision to use Turd-press in the first place.

  • Why are insane amounts of passwords permitted? Why are wrong attemp timers missing? Why are instant resubmissions permitted?

    Dictionary attacks would not be feasable if the 1st incorrect attempt required a 60 second delay for a 2nd attempt, 120 seconds for the 2nd attempt, 240 for the 3rd attempt, etc. 64 attempts would be beyond my lifetime. Dictionalry attacks on my password would not be possible in my lifetime on my account, but a honest typo would be a minor delay for the legimitate user.

    Multiple fails o

    • Re:Why (Score:5, Informative)

      by JustAnotherOldGuy ( 4145623 ) on Sunday October 11, 2015 @12:44PM (#50704225)

      Why are insane amounts of passwords permitted? Why are wrong attemp timers missing? Why are instant resubmissions permitted?

      Dictionary attacks would not be feasable if the 1st incorrect attempt required a 60 second delay for a 2nd attempt, 120 seconds for the 2nd attempt, 240 for the 3rd attempt, etc. 64 attempts would be beyond my lifetime.

      Wordfence lets you set this sort of gate. I have mine set to trigger on 3 wrong login attempts over the course of 3 hours, and then it locks the user out for 10 days.

      No, that's not a typo. These are for sites where I'm usually the only person logging in, ever.

      For sites with actual user I use 3 wrong login attempts (over the course of 3 hours), and then it locks the user out for 6 hours.

      Sometimes I just add an "exit;" command after the opening PHP tag at the very top of wp-login.php. It just kills the file dead and so no login attempt using it will ever succeed, it doesn't even show the form, just a blank page. Drives the bots crazy, lol.

      • Sometimes I just add an "exit;" command after the opening PHP tag at the very top of wp-login.php. It just kills the file dead and so no login attempt using it will ever succeed, it doesn't even show the form, just a blank page. Drives the bots crazy, lol.

        Rather than just putting in an 'exit' you might consider being more sophisticated to get better results:
        * return a 404. That way, the bot knows even less. Many bots and scanners seem to look for wp-login.php before they do anything else. Returning a 200 tells the bot there's something there. return a 404 and they'll likely assume there's no wordpress there and move along.
        * Add a second authentication factor via a querystring. something esoteric and non-standard like ?answer_to_ultimate_question=42. If the q

      • by dfsmith ( 960400 )
        From time to time I get a handful of IP addresses blocked by my Wordpress' firewall within a few seconds. The whois data often lists "Tor exit node". Why do they bother to try so hard? Beats me....
        • Why do they bother to try so hard? Beats me....

          It's nothing personal, it's bots just mindlessly attacking or probing whatever they find.

    • by PPH ( 736903 )

      Why are insane amounts of passwords permitted?

      I'm just guessing here: It may be that sites which use Wordpress as a backend want to batch a bunch of requests together to reduce network connection overhead.

  • by Jason Levine ( 196982 ) on Sunday October 11, 2015 @12:29PM (#50704165)

    One of the first things you should do with any WordPress installation is make sure that the admin username isn't "admin", your site's name, "administrator", or simmering else that is easily guessable.

    I have a login limiting plugin on my sites that keeps track of bad logins. Over 90% of bad login attempts use admin, the site name, or administrator. Making the admin username difficult to guess greatly decreases the chances that someone will brute force their way into your system.

    • One of the first things you should do with any WordPress installation is make sure that the admin username isn't "admin", your site's name, "administrator"

      Good advice. Yep, mine is usually some oddball chars after "admin", i.e. "admin77YT43" or something completely unrelated (but still hard to guess).

      • That doesn't really help, my experience says they look for any user name that contains the text "admin" not simply the name admin
        • That doesn't really help, my experience says they look for any user name that contains the text "admin" not simply the name admin

          Yep, although you can prevent the discovery of usernames with plugins like Wordfence. This prevents anyone (or a bot) from iterating over the user list and seeing if there even is a user with "admin" in the name.

          Later versions of WP allow you to pick something other than "admin" for the administrative user, but I still have fully upgraded versions that don't allow changing the name once it's set (which seems kind of silly/stupid to me).

          I'd like a plugin that reserves the name "admin" and allows logging into

    • by awe_cz ( 818201 )
      Right. Those are the two steps I take with most of the systems - non-standard user, in case port is not required for normal operation - non-standard port (ssh for instance). Makes most of automated attacks worthless.
    • The second thing you should do is implement a 3 attempt policy followed by an IP ban.

      • Agreed. I use a plugin called Apocalypse Meow [wordpress.org] to do this, but there are a dozen others that can do the same. It's not a perfect solution (attackers can come at you from thousands of compromised computers under their control), but the more speed bumps you place in a potential hacker's way, the more likely he is to decide to skip your site and focus on an easier target. (It's the security equivalent of not needing to run faster than a bear, just faster than other people who are running away from the bear.

  • by Anonymous Coward

    a thousand passwords can be submitted within the scope of a single login attempt.

    Can somebody explain to me how this could be the result of anything other than severe incompetence?

    • Can somebody explain to me how this could be the result of anything other than severe incompetence?

      No, because that's pretty much the only explanation. You called it dead-on.

      Why WordPress doesn't have this kind of login-limiting built in by default can also only be explained by sheer, utter incompetence.

  • ... that's worth anybody's time to brute force?

    • ... that's worth anybody's time to brute force?

      Oh, there are lots of naughty things you can once you've managed to login, especially as an admin.

      As an admin you can edit the Wordpress php files to add or remove anything you want. Yup, think about that for a minute. Muwahahahaha.

      • My post is an indication that I've already thought about it for at least a minute.

        I took your advice and thought about it for another minute.

        So here's the outcome of those two individual pauses to reflect on this:

        What's Wordpress walling ... that's worth anybody's time to brute force?

        Your answer ... isn't one.

        • by JustAnotherOldGuy ( 4145623 ) on Sunday October 11, 2015 @05:52PM (#50705651)

          What's Wordpress walling ... that's worth anybody's time to brute force?

          Your answer ... isn't one.

          As I said, you can modify the WP files to include your own code- PHP, javascript, whatever, and from there you can use the platform as part of an attack or DDOS network. You could use it to attack and infect any user visiting the site.

          You could store files on the server (kiddie porn, malicious code, MP3s, movies, stolen credit card numbers, social security numbers, etc) and so on. You could use it to send emails to the White House and threaten the president's life. You could set up online pill stores, a XXX-video site, etc etc. You could steal the login names and passwords of anyone who logs in.

          You can also run compiled code (C, C++, etc) and more than likely escalate your privileges until you're root, at which point the server is yours for all intents and purposes. You can steal user creds and any info you like that may be there (credit card data, PIN codes, passwords, personal info, etc etc).

          You could alter the DNS and email records and potentially use that to steal domains on the server. You could also impersonate any user on the server to send and receive email as them. You could alter data at will (think medical info, dosage info, diagnostic info).

          All that took me about 10 seconds to come up with, and I'm sure there's much more that I could think of given a little more time. The real question is not "what can you do", but what couldn't you do? And the answer is basically nothing, there's nothing you couldn't do.

          The fact that you couldn't think of any of this does not speak well of you, although it does prove that your user name is entirely accurate, "Captain Dork".

          • Your shitty answer is useless as tits on a boar hog.

            It doesn't answer the question as to why in Sam Hill you'd want Wordpress access to do that stuff.

            You're suggesting hacking one of the weakest interfaces on the planet that ALSO rats out your activity.

            You're not making one single goddam penny.

            The risk/reward is whack.

            Your last line, which you bolded so everyone else but me can see it clearly (because you know> I don't give a shit) clearly demonstrates your need to compensate for inability to provide

            • Your shitty answer is useless as tits on a boar hog.

              Only to the mentally deficient, like you.

              It doesn't answer the question as to why in Sam Hill you'd want Wordpress access to do that stuff.

              Wow, you're like The Fountain Of Stupid. Why does anyone hack a server? To get its resources and/or data. Duh. .

              You're suggesting hacking one of the weakest interfaces on the planet that ALSO rats out your activity.
              You're not making one single goddam penny.
              The risk/reward is whack.

              Oh, that must be why no one ever hacks Wordpress sites. You're right, it never happens, so obviously you're spot-on. Oh, wait... .

              Your last line, which you bolded so everyone else but me can see it clearly (because you know> I don't give a shit) clearly demonstrates your need to compensate for inability to provide a valid answer.

              Lol, oh look, Captain Dork is also a psychologist...what color crayon did they sign your diploma with?

              Seriously, you have no idea what you're babbling about, and it's painfully obvious to everyone here but you. People hack Wordpr

    • Free anonymous hosting. Where do you think most nasty jpegs and binaries live ?
      • Most nasty jpegs and binaries live on local hard drives as demonstrated by all the guys we've read about who got busted for child porn.

        Only a noobie would hijack a Wordpress simply to get free cloud hosting where tracing access back to the point of origin is a piece of cake.

        Why in Sam Hill would you store jpegs and binaries in the cloud?

        Go p2p.

    • The ability to arbitrarily run code on a webserver is one.

      I've seen a wordpress installation owned once. A small modification to one of the team files included a mail relay server. Its amazing how much spam you can send out when you own a machine in a data centre somewhere vs some poor grandma's ADSL line.

    • Perhaps it isn't what it is walling and what exposure it offers. I mean, there are obvious nefarious things like relaying spam and such. However, with wider and wider adoption of Wordpress in larger sites, there is lots of opportunity such as:

      1. Changing affiliate links to redirect money to yourself
      2. During election time, political sites seem to be potential big targets. Obviously one approach would be to do something blatant and visible, but if you wanted to be more nefarious you could make subtle chan

      • Using Wordpress sites to do anything devious is a crazy idea. It offers no masking as to whom is modifying it, right? So, the risk/reward is simply not there, for any reason.

        It's a nice honeypot.

        That's about all Wordpress is good for.

        • Even if the attacker was stupid enough to use their own home connection (as opposed to using a bot net, VPN, or some other method of obscuring his IP address), that doesn't mean he'll be caught.

          When my identity was stolen, I had to prompt the police to track down the online form that was used. We finally got the IP address used to submit the form as well as the exact date and time that it was submitted. This means we caught the criminal, right? Wrong. This IP address was in another jurisdiction and the

          • Appreciate the concept of "scale."

            This is a way to compromise Wordpress.

            The attack surface is not a small one, as your narrative would suggest.

            • The attack surface isn't a small one, but that doesn't mean that law enforcement will be dedicating tons of resources to catch anyone who utilizes the attack. If the compromised sites are small, law enforcement might not care enough to do anything other than fill out a police report. If the attackers are based outside the US, local law enforcement will do nothing and Federal law enforcement might not be able to touch them.

              Just because a lot of sites might be compromised doesn't mean law enforcement can cl

  • by JustAnotherOldGuy ( 4145623 ) on Sunday October 11, 2015 @12:36PM (#50704189)

    I highly recommend "WordFence", or if you don't want to use that, use Disable XML-RPC [philerb.com]. Both of them work to stop this kind of attack.

    Wordfence [wordfence.com] is worth its weight in gold and it's a standard plugin I install whenever I have to do a Wordpress site.

    It has lots of useful options and I wouldn't run a Wordpress site without it, period.

    • Thanks - I have about a dozen WP sites I barely ever think about (I know I should more - but time isn't my friend, these days). I'll go check out wordfence now.
  • The most effective means against distributed brute force attacks is blocking the number of attempted logins on a particular user-name per a time period. (Query rate limited by user-name, regardless of source.)

    Additionally, requiring a 1 second time limit between login queries for the same user-name should combat this and other means of increasing query.

Man will never fly. Space travel is merely a dream. All aspirin is alike.

Working...