Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) 80
An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."
SubjectsInCommentsAreStupid (Score:2)
Least effort, maximum result.
Re: (Score:2)
Re: (Score:2)
I think you will find your script has "interesting" results if directory names with space charcters in them are involved. It wouldn't be much more effort to guard against this as a matter of principle:
find / -name xmlrpc.php -exec mv "{}" "{}.DISABLED" \;
Re: (Score:1)
*chuckles at moderation*
Now come on, you know nobody was dumb enough to actually DO that, right? Right? If they did then they'll learn the most important lesson in security. Research before doing anything - especially entering random commands into the terminal.
Re: (Score:1)
This is what happens when "web-wallies" as I call them attempt to "program" - massive fuckups. They're not coders.
Yeah lately Wordpress is starting to look like Adobe Flash in terms of security. Did its creators just not give a shit about security or what? Seems they'd be better off scrapping the whole thing and writing something secure from scratch. Preferably not with PHP.
Re: (Score:1)
LATELY??? It's been a festering pile of fail from day one.
Yeah, all the time... that's the web (Score:3, Informative)
Per a blog post from WordFence ( https://www.wordfence.com/blog... [wordfence.com] ), multiple logins via XMLRPC are seen individually, so any program that limits login attempts will work as usual.
Re: (Score:2)
Same for Limit Login Attempts, by my testing.
Brain-dead security hole (Score:5, Insightful)
Starting with Wordpress 3.5 XML-RPC was turned on by default, and the ability to turn off XML-RPC was removed. They didn't even leave the ability to filter the remote calls by IP address. E.g. allow localhost by default, have a button that 'allows current IP' or something like that.
I think this was one of the most brain-dead security decisions in a major piece of software in recent memory. And this decision simply has to be reversed to fix this.
Re: (Score:3)
Starting with Wordpress 3.5 XML-RPC was turned on by default, and the ability to turn off XML-RPC was removed.
I know, that was simply fucking brilliant of them. I saw that and nearly fell out of my chair, it was an instant "WTF???"
Dev 1: "Hey, let's create a potential exploit hole and let's make sure that it can't be disabled!"
Dev 2: "Magnificent! Give that man a raise!"
Re: (Score:2)
It almost makes you wonder if Wordpress is actually a secret attempt to knock over web servers.
Re: (Score:2)
It almost makes you wonder if Wordpress is actually a secret attempt to knock over web servers.
Judging by the stats, it leads in that category.
I'm convinced that there is no easier way to allow a server to be nailed than to install WP with no hardening plugins, Hell, half the themes out there for it contain obfuscated code and built-in spam links.
Re: (Score:1)
while enabling xmlrpc was the most brain dead decision they made, allowing 1000s of simultaneous login attempts at a single go is probably their absolute stupidest coding mistake ever... and they've had some really, really fucked up bugs in their history.
they don't need to disable or remove the feature itself, just i dunno, learn how to fucking program, maybe.. and test the product before handing it over to a million+ equally stupid and ignorant web site owners.
if wordpress users weren't so fucking stupid (
Re: (Score:2)
You can turn off XML-RPC by setting this filter in (for example) wp-config.php:
add_filter('xmlrpc_enabled', '__return_false');
Re: (Score:1)
And this decision simply has to be reversed to fix this.
I think the decision that needs to be reversed is the decision to use Turd-press in the first place.
Why (Score:2)
Why are insane amounts of passwords permitted? Why are wrong attemp timers missing? Why are instant resubmissions permitted?
Dictionary attacks would not be feasable if the 1st incorrect attempt required a 60 second delay for a 2nd attempt, 120 seconds for the 2nd attempt, 240 for the 3rd attempt, etc. 64 attempts would be beyond my lifetime. Dictionalry attacks on my password would not be possible in my lifetime on my account, but a honest typo would be a minor delay for the legimitate user.
Multiple fails o
Re:Why (Score:5, Informative)
Why are insane amounts of passwords permitted? Why are wrong attemp timers missing? Why are instant resubmissions permitted?
Dictionary attacks would not be feasable if the 1st incorrect attempt required a 60 second delay for a 2nd attempt, 120 seconds for the 2nd attempt, 240 for the 3rd attempt, etc. 64 attempts would be beyond my lifetime.
Wordfence lets you set this sort of gate. I have mine set to trigger on 3 wrong login attempts over the course of 3 hours, and then it locks the user out for 10 days.
No, that's not a typo. These are for sites where I'm usually the only person logging in, ever.
For sites with actual user I use 3 wrong login attempts (over the course of 3 hours), and then it locks the user out for 6 hours.
Sometimes I just add an "exit;" command after the opening PHP tag at the very top of wp-login.php. It just kills the file dead and so no login attempt using it will ever succeed, it doesn't even show the form, just a blank page. Drives the bots crazy, lol.
Re: (Score:2)
Sometimes I just add an "exit;" command after the opening PHP tag at the very top of wp-login.php. It just kills the file dead and so no login attempt using it will ever succeed, it doesn't even show the form, just a blank page. Drives the bots crazy, lol.
Rather than just putting in an 'exit' you might consider being more sophisticated to get better results:
* return a 404. That way, the bot knows even less. Many bots and scanners seem to look for wp-login.php before they do anything else. Returning a 200 tells the bot there's something there. return a 404 and they'll likely assume there's no wordpress there and move along.
* Add a second authentication factor via a querystring. something esoteric and non-standard like ?answer_to_ultimate_question=42. If the q
Re: (Score:2)
Re: (Score:2)
Why do they bother to try so hard? Beats me....
It's nothing personal, it's bots just mindlessly attacking or probing whatever they find.
Re: (Score:3)
Why are insane amounts of passwords permitted?
I'm just guessing here: It may be that sites which use Wordpress as a backend want to batch a bunch of requests together to reduce network connection overhead.
Re: (Score:2)
but we had a 2+ week outage once. there was a reason I left 'cloud' stuff.
Change Username From Admin (Score:5, Informative)
One of the first things you should do with any WordPress installation is make sure that the admin username isn't "admin", your site's name, "administrator", or simmering else that is easily guessable.
I have a login limiting plugin on my sites that keeps track of bad logins. Over 90% of bad login attempts use admin, the site name, or administrator. Making the admin username difficult to guess greatly decreases the chances that someone will brute force their way into your system.
Re: (Score:2)
One of the first things you should do with any WordPress installation is make sure that the admin username isn't "admin", your site's name, "administrator"
Good advice. Yep, mine is usually some oddball chars after "admin", i.e. "admin77YT43" or something completely unrelated (but still hard to guess).
Re: Change Username From Admin (Score:1)
Re: (Score:2)
That doesn't really help, my experience says they look for any user name that contains the text "admin" not simply the name admin
Yep, although you can prevent the discovery of usernames with plugins like Wordfence. This prevents anyone (or a bot) from iterating over the user list and seeing if there even is a user with "admin" in the name.
Later versions of WP allow you to pick something other than "admin" for the administrative user, but I still have fully upgraded versions that don't allow changing the name once it's set (which seems kind of silly/stupid to me).
I'd like a plugin that reserves the name "admin" and allows logging into
Re: (Score:1)
Re: (Score:2)
The second thing you should do is implement a 3 attempt policy followed by an IP ban.
Re: (Score:2)
Agreed. I use a plugin called Apocalypse Meow [wordpress.org] to do this, but there are a dozen others that can do the same. It's not a perfect solution (attackers can come at you from thousands of compromised computers under their control), but the more speed bumps you place in a potential hacker's way, the more likely he is to decide to skip your site and focus on an easier target. (It's the security equivalent of not needing to run faster than a bear, just faster than other people who are running away from the bear.
How is this not severe incompetence? (Score:1)
a thousand passwords can be submitted within the scope of a single login attempt.
Can somebody explain to me how this could be the result of anything other than severe incompetence?
Re: (Score:2)
Can somebody explain to me how this could be the result of anything other than severe incompetence?
No, because that's pretty much the only explanation. You called it dead-on.
Why WordPress doesn't have this kind of login-limiting built in by default can also only be explained by sheer, utter incompetence.
What's Wordpress walling ... (Score:2)
... that's worth anybody's time to brute force?
Re: (Score:2)
... that's worth anybody's time to brute force?
Oh, there are lots of naughty things you can once you've managed to login, especially as an admin.
As an admin you can edit the Wordpress php files to add or remove anything you want. Yup, think about that for a minute. Muwahahahaha.
Re: (Score:1)
My post is an indication that I've already thought about it for at least a minute.
I took your advice and thought about it for another minute.
So here's the outcome of those two individual pauses to reflect on this:
What's Wordpress walling ... that's worth anybody's time to brute force?
Your answer ... isn't one.
Re:What's Wordpress walling ... (Score:4, Informative)
What's Wordpress walling ... that's worth anybody's time to brute force?
Your answer ... isn't one.
As I said, you can modify the WP files to include your own code- PHP, javascript, whatever, and from there you can use the platform as part of an attack or DDOS network. You could use it to attack and infect any user visiting the site.
You could store files on the server (kiddie porn, malicious code, MP3s, movies, stolen credit card numbers, social security numbers, etc) and so on. You could use it to send emails to the White House and threaten the president's life. You could set up online pill stores, a XXX-video site, etc etc. You could steal the login names and passwords of anyone who logs in.
You can also run compiled code (C, C++, etc) and more than likely escalate your privileges until you're root, at which point the server is yours for all intents and purposes. You can steal user creds and any info you like that may be there (credit card data, PIN codes, passwords, personal info, etc etc).
You could alter the DNS and email records and potentially use that to steal domains on the server. You could also impersonate any user on the server to send and receive email as them. You could alter data at will (think medical info, dosage info, diagnostic info).
All that took me about 10 seconds to come up with, and I'm sure there's much more that I could think of given a little more time. The real question is not "what can you do", but what couldn't you do? And the answer is basically nothing, there's nothing you couldn't do.
The fact that you couldn't think of any of this does not speak well of you, although it does prove that your user name is entirely accurate, "Captain Dork".
Re: (Score:1)
Your shitty answer is useless as tits on a boar hog.
It doesn't answer the question as to why in Sam Hill you'd want Wordpress access to do that stuff.
You're suggesting hacking one of the weakest interfaces on the planet that ALSO rats out your activity.
You're not making one single goddam penny.
The risk/reward is whack.
Your last line, which you bolded so everyone else but me can see it clearly (because you know> I don't give a shit) clearly demonstrates your need to compensate for inability to provide
Re: (Score:2)
Your shitty answer is useless as tits on a boar hog.
Only to the mentally deficient, like you.
It doesn't answer the question as to why in Sam Hill you'd want Wordpress access to do that stuff.
Wow, you're like The Fountain Of Stupid. Why does anyone hack a server? To get its resources and/or data. Duh. .
You're suggesting hacking one of the weakest interfaces on the planet that ALSO rats out your activity.
You're not making one single goddam penny.
The risk/reward is whack.
Oh, that must be why no one ever hacks Wordpress sites. You're right, it never happens, so obviously you're spot-on. Oh, wait... .
Your last line, which you bolded so everyone else but me can see it clearly (because you know> I don't give a shit) clearly demonstrates your need to compensate for inability to provide a valid answer.
Lol, oh look, Captain Dork is also a psychologist...what color crayon did they sign your diploma with?
Seriously, you have no idea what you're babbling about, and it's painfully obvious to everyone here but you. People hack Wordpr
Re: (Score:1)
Re: (Score:1)
Most nasty jpegs and binaries live on local hard drives as demonstrated by all the guys we've read about who got busted for child porn.
Only a noobie would hijack a Wordpress simply to get free cloud hosting where tracing access back to the point of origin is a piece of cake.
Why in Sam Hill would you store jpegs and binaries in the cloud?
Go p2p.
Re: (Score:3)
The ability to arbitrarily run code on a webserver is one.
I've seen a wordpress installation owned once. A small modification to one of the team files included a mail relay server. Its amazing how much spam you can send out when you own a machine in a data centre somewhere vs some poor grandma's ADSL line.
Re: (Score:2)
Your idea is not a money-maker, but thanks for playing.
From what I've seen, the primary reason Wordpress installs get exploited is to install advertisements or links across every page of the site. The links are intended to boost somerandompharmacy.ru's Google pagerank, to the benefit of its owner. The advertisements generate revenue if someone clicks them. Sometimes they'll add a drive-by browser exploit to own visitors directly, who knows what they do to monetize that; ransomware, bank trojans, etc.
If you don't see any financial motive for these compromises, y
Re: (Score:2)
Do you seriously think that a hacker that broke into a site to place ads on it is going to rely on their money being delivered physically to some location that's likely to have police around it? Their money will be electronically transferred to an account in a country that looks the other way (or, at least, will look the other way for a "reasonable fee"). If the hacker is in the US, the money will transfer through a few different accounts so that the trail is difficult to follow. If the hacker is actuall
Re: (Score:2)
You don't know what Wordpress is, do you?
Re: (Score:2)
Considering that I work with WordPress on a daily basis - both on a surface level (installing plugins/themes) and on a deeper level (coding plugins and themes) - yes I do know what it is. If you hacked someone's WordPress installation, you could alter their theme to include ads or you could change content to link to sites of yours. You could also install plugins to perform actions such as e-mailing people (i.e. sending spam) or adding forms for users to fill out that collect personal information (i.e. phi
Re: (Score:2)
And yet Wordpress installations get owned all the time for the express purposes of sending spam. Go look at the wordpress forums for an account of the many different ways this has happened.
Maybe it doesn't make money. Maybe the people involved just want to watch the world burn.
Or maybe there's economics involved that incentivise people to do just this, and you haven't thought of it yet.
Re: (Score:2)
Perhaps it isn't what it is walling and what exposure it offers. I mean, there are obvious nefarious things like relaying spam and such. However, with wider and wider adoption of Wordpress in larger sites, there is lots of opportunity such as:
1. Changing affiliate links to redirect money to yourself
2. During election time, political sites seem to be potential big targets. Obviously one approach would be to do something blatant and visible, but if you wanted to be more nefarious you could make subtle chan
Re: (Score:2)
Using Wordpress sites to do anything devious is a crazy idea. It offers no masking as to whom is modifying it, right? So, the risk/reward is simply not there, for any reason.
It's a nice honeypot.
That's about all Wordpress is good for.
Re: (Score:2)
Even if the attacker was stupid enough to use their own home connection (as opposed to using a bot net, VPN, or some other method of obscuring his IP address), that doesn't mean he'll be caught.
When my identity was stolen, I had to prompt the police to track down the online form that was used. We finally got the IP address used to submit the form as well as the exact date and time that it was submitted. This means we caught the criminal, right? Wrong. This IP address was in another jurisdiction and the
Re: (Score:2)
Appreciate the concept of "scale."
This is a way to compromise Wordpress.
The attack surface is not a small one, as your narrative would suggest.
Re: (Score:2)
The attack surface isn't a small one, but that doesn't mean that law enforcement will be dedicating tons of resources to catch anyone who utilizes the attack. If the compromised sites are small, law enforcement might not care enough to do anything other than fill out a police report. If the attackers are based outside the US, local law enforcement will do nothing and Federal law enforcement might not be able to touch them.
Just because a lot of sites might be compromised doesn't mean law enforcement can cl
Use wordfence or "Disable XML-RPC" (Score:4, Informative)
I highly recommend "WordFence", or if you don't want to use that, use Disable XML-RPC [philerb.com]. Both of them work to stop this kind of attack.
Wordfence [wordfence.com] is worth its weight in gold and it's a standard plugin I install whenever I have to do a Wordpress site.
It has lots of useful options and I wouldn't run a Wordpress site without it, period.
Re: (Score:2)
It's fairly simple to combat this. (Score:1)
The most effective means against distributed brute force attacks is blocking the number of attempted logins on a particular user-name per a time period. (Query rate limited by user-name, regardless of source.)
Additionally, requiring a 1 second time limit between login queries for the same user-name should combat this and other means of increasing query.