New WordPress Security alert

[stephan2307]

Normally I charge people to make their WordPress sites safer, but I have just read an article about a new bruteforce attack on wordpress sites.

In the past they were using the wp-admin to guess one password after another. However this time they are using the xml-rpc functionality which is enabled by default. xml-rpc is a web service which means you can use a non wordpress application to post content etc to wordpress.

Now one of the functions available is system.multicall. The attackers are using this function to guess not one but hundreds of password at the same time. I am not sure if security plugins will be able to withstand the attack or not but I thought better safe than sorry.

I ( and most people ) don't use the xml-rpc feature. So I decided to block it at server level. I added the following code to my .htaccess file

<Files "xmlrpc.php">
     Order allow,deny
     Deny from all
</Files>

If you use Jetpack or the wordpress app on your phones you might not be able to do this. Just test it and see how it works.

If you need any help or have any questions please let me know.

 

[fisicx]

Or you can just make sure you have a good security plugin and lock down there server to block brute force attacks.

 

[stephan2307]

If you feel that you are protected from this type of attack that's great. Ignore this thread. It was meant for people that don't feel entirely protected.

 

[fisicx]

Indeed, but most of those using Wordpress don't even know how to find htaccess so editing isn't an option. But they can install plugins.

Anyhow, your suggestion is useful so thanks for that.

 

[Dan_HiHosting]

@stephan2307 Thanks for this.

Well plenty of Wordpress users do access their htaccess file, or have management where their host will do this for them.

We'll certainly look to add this as well where it works.

Most of the security plugins are seriously flawed. We've just recently been helping a client and UKBF member because Wordfence was corrupting their .htaccess file, which has been an ongoing problem with the plugin. We've also seen reports of it completely corrupting users' databases.

Typically plugin interaction has also caused the same issues with iThemes Security and Bulletproof Security. iThemes has received a lot of 1 star reviews recently detailing broken sites because of an update/plugin interaction and so forth.

Manual hardening is always the best first step. Relying on plugins is a bad idea.

The tech savy and those that want to can do it themselves, and those that don't can just seek out a good provider that'll do it for them, or pay for management.

What do people feel is the best Wordpress security plugin anyway? Wordfence is certainly the most popular but we really can't recommend it given it's ongoing problems.

 

[Dan_HiHosting]

By the way, blocking xmlrpc.php will prevent JetPack from working, as well as the WordPress Mobile Apps.

We're currently trialling using manual hardening combined with JetPack's brute force protection for security.

JetPack is another topic of discussion, with its bloat and so forth, but if you install Manual Control first, you can just activate the plugins you want, and it prevents new plugins from auto activating.

It's popular for many of its plugins, so if you're using it then the hardening feature can be used in place of the bigger security plugins which have had a lot of issues.

We spoke with someone from Automattic and this is what they had to say about blocking xmlrpc.php :

Unfortunately, blocking XML-RPC is not a great solution for fighting security risks. It's akin to selling your car because you don't want it to be stolen.

Hope that helps some of the many WordPress users. Good to keep on top of all of this and share the knowledge.

 

[ecenica]

Worth noting blocking XML-RPC will break WordPress JetPack - a very popular WordPress Plugin.

For JetPack users we recommend allowing access to everyone, but blocking pingback requests using a plugin such as;

https://wordpress.org/plugins/disable-xml-rpc-pingback/

Rich

 

[Dan_HiHosting]

Worth noting blocking XML-RPC will break WordPress JetPack - a very popular WordPress Plugin.
Rich

That's what I posted last week, the post above yours

Thanks for the plugin link though, although adding more plugins for security isn't necessarily the best way to handle this. Perhaps in this case it's a worthy compromise however.

 

[ecenica]

So you did... great mind think alike

And yes, the plugin is a good compromise (it's recommended by the JetPack devs).

The "Unfortunately, blocking XML-RPC is not a great solution for fighting security risks. It's akin to selling your car because you don't want it to be stolen." is a scripted response by the JetPack devs.

Another approach we've used when these type of attacks cropped up a few years ago is to deny access to everyone, except the Automattic IP address range. This does change so not a fire and forget solution.

Cheers

Rich