[Latest News] Why You Might Want to Disable XML-RPC on Your WordPress Site for Now

We all may be in danger – the Sucuri guys say.

Where by we, I mean all WordPress website owners.

This is all because of the brute force attacks that are happening right now.

Note. Brute force attacks are all about trying to break your username and password by trying out a number of username/password combinations in a short period of time.

In short, brute force attacks can be really dangerous if you don’t have a strong password in place for your user accounts.

And various login blockers don’t seem to protect us in this case. That’s because this new vulnerability can result in even 500 or more login attempts from a single (!) HTTP request.

What’s the deal exactly?

The thing is called Brute Force Amplification, and it works via WordPress’ XML-RPC mechanism. Quoting Sucuri:

“One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request.”

In plain English, this sort of attack doesn’t get caught by any “limit login attempts” filters, as it only uses up a single HTTP request.

Sucuri discovered the first attacks on September 10, but the number has grown since.

How to protect your WordPress site

The  easiest solution right now is to disable XML-RPC altogether .

The simplest way of doing this is to rename the default xmlrpc.php file to something else.

The bad news is that blocking this file can affect some plugins’ functionality, especially Jetpack’s, so proceed with caution.

Okay, that’s it for the day’s news. Stay safe!