New vulnerability found in WordPress XML-RPC infrastructure

A report has surfaced on the Github code repository showing a rough Proof of Concept of a bruteforce attack currently possible on popular blogging platform WordPress.

WordPress and Drupal flaw hits 23% of world's websites
WordPress and Drupal flaw hits 23% of world's websites

A report has surfaced on the Github code repository showing a rough PoC of a bruteforce attack currently possible on popular blogging platform WordPress.

Although most common attacks point at the wp-login.php file that comes with all WordPress installations, servers and firewalls have been improved to block them and as a result hackers are now turning to the XML-RPC infrastructure found within WordPress Blogs.

What is XML-RPC?

It's a spec and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet. Its remote procedure calling uses HTTP to transport the data and XML as the encoding.

In the context of WordPress, XML-RPC is used so other websites can send trackbacks and pings to the blog itself. Trackbacks are a way to notify legacy blog systems that you've linked to them. If you link to a WordPress blog they'll be notified automatically using pingbacks. This is helpful for those conscious of SEO scores and helps increase traffic.

There are various other other uses for XML-RPC such as the JetPack plugin and a lot of the WordPress iOS apps. In other words, it is a commonly used part of the system.

The issue

This particular vulnerability allows an attacker to bypass web server rate limits. This means that instead of the attacker sending one username with one password, they can now send one username with 500 passwords via the xmlrpc API (application program interface) as the attack allows the attachment of a common password library.

It might look something like this -

ruby ./wpbrute-rpc.rb --url=[...] --user=[...] --count=[...] --list=[...]
--url The wordpress RPC endpoint.
--user The username you would like to bruteforce.
--count The number of attempts per RPC request
--list The path to your password dictionary.

The fix

There is no known fix coming from WordPress. Users on the WordPress forums are currently reporting that using configuration files like .htaccess or nginx.conf to block access to the xmlrpc.php file could solve the problem. This works because the files would no longer be accessible from web clients, not allowing it to execute code, but still function as usual.

On Apache web servers you might write something like -

Order allow,deny
Deny from all

As mentioned above, blocking all access to xmlrpc.php breaks some plugins' functionality - mostly JetPack. With that in mind, if you are not using JetPack or any of the other plugin that require it XML-RPC, it might be a good idea to block direct access to it altogether.

Being as popular as it is, it is no surprise that WordPress is often under attack. Some 48 percent of Technorati's top 100 blogs are using WordPress. This equates to  74.6 million sites using circa 30,000 plugins. The wordpress.com website currently gets more traffic than Amazon, and six new posts every second appear on wordpress.com blogs.