Sucuri has released a security advisory notice of a new brute force attack against WordPress XML-RPC.
We’ve released an update to our Shield Security to easily block XML-RPC brute force login attacks.
You wont need to edit your .htaccess or write any code. With our plugin you just turn on an option that uses WordPress to disable XML-RPC login.
Read on to learn more.
How to block brute force login attacks over XML-RPC
This new option is found in v4.12.0 and above. If you haven’t already, please ensure you’re running the latest version of the plugin.
Select ‘Lockdown’ under the Shield Security menu item on the left-hand side to access the option. Then select the tab “Lockdown” and you’ll see the XML-RPC option.
Check the box to turn off XML-RPC and save the options page. You’ll now be protected against any possible XML-RPC brute force login attacks.
How to check and confirm XML-RPC functionality is disabled
There is a very simple website provided to help you confirm that your XML-RPC is disabled.
- Go to: http://xmlrpc.eritreo.it/
- Enter your WordPress site URL in the ‘Address’ field
- Click the ‘Check’ button.
You should receive a response page detailing how your XML-RPC server isn’t available.
Implications of disabling the WordPress XML-RPC system
You should be aware of what may be affected by disabling the XML-RPC system on your WordPress sites.
- Certain JetPack plugin functionality will be impacted
- The mobile Android/IOS apps will be broken with your site since they run over the XML-RPC system
- Any other system or plugin that uses your site’s XML-RPC system to communicate and operate your site.
How we turn off the XML-RPC system
For those that would like to know the technical details of how exactly we’re turning off the XML-RPC system on your WordPress site.
As always, we never touch your .htaccess file and instead use the native WordPress filters and action hooks to change site settings. In this case, we simply use the standard WordPress filter: ‘xmlrpc_enabled‘, using the following code:
add_filter( 'xmlrpc_enabled', '__return_false', 1000 );
There are other ways to turn off XML-RPC, but we feel WordPress compatibility is the most important.
Note: You may already have been protected
Sucuri reports that security plugins aren’t protecting against this problem, but they’re completely wrong. Previous versions of our Shield Security already contained blocks for XML-RPC.
The Login Protection and User Management modules both contain an option to let XML-RPC by-pass their protection mechanisms. This was offered for users who wanted to be compatibile with other services (as outlined above).
If you had removed the by-pass option, you would already be protected today. This is a perfect example of why you should set as high a level of security as possible when you’re configuring your WordPress sites.
The purpose of the new release today was to make this easier to configure for users who may not have set this before now.
Thanks Paul
Just updating WSF on all my sites and disabling XML-RPC
Keith
View CommentGreat, glad you like this feature! 🙂
View CommentThanks Paul
View CommentI’ve had to change the XML-RPC file name across FTP every time wordpress was updated..now it is really simple..
Thanks again
Fouad
Brilliant, well this should certainly save you a lot of time then! 😀
View CommentA sincere thanks to you Paul for updating us on this XML-RPC attack. Have turned off the setting and feel very grateful to have the Simple Firewall plugin, one cool plugin and your help to make things real easy, Thanks, Jane
View CommentMy pleasure… that’s our goal – to make things super easy to do, all the while keep us all a little bit safer! Thanks for leaving your message.
View CommentI really appreciate you guys being on top of this attack with protection through the firewall so quickly!
And, maybe a stupid question, but…
As described above, I can go into the LockDown SECTION and open the Lockdown SUB-SECTION and click “Disable The XML-RPC System”.
Do I also need to have the first tab in that section, the SUB-SECTION labeled “Enable/Disable” (for the Lockdown section) checked (on) to make the “Disable The XML-RPC System” in the sub-section work?
View CommentThanks
Hi Lynn,
Yep, you would need to enable the actual ‘Lockdown’ module for this sub-option to be applied.
View CommentCheers!
Paul.
Thanks again, Paul!
View CommentHi Paul,
Not sure to add this protection as I don’t know which plugins might use XML-RPC.
View CommentUnfortunately this is a call that you must make… we can only provide the options and you must then apply and test accordingly. If you do find other applications/plugins that interfere, let me know and I’ll add it to the list.
View CommentThanks.