A brute-force attack is one in which the attacker tries to guess your login credentials. These attacks are almost always automated. Not long ago I woke up one morning to see that there had been ten thousand brute-force attacks against just one of my blogs overnight.
Traditionally, brute-force attacks are easily detectable. Most security-related plugins can detect and log every login attempt. Several security-related plugins can even be configured to block the IP address of an attacker after a certain number of failed attempts.
In the past few weeks however, a new tactic relying upon WordPress' XML-RPC function has surfaced. The new attack is highly efficient and allows the attacker to try hundreds of password in a single request. The details of this attack can be found in a blog post written by Sucuri.net:
Time to Adjust Our Tactics
My personal opinion is that for a piece of software with as big a bullseye on it as WordPress, XML-RPC should be a big No-No. Older versions of Wordpress contained a setting that allowed you to turn XML-RPC off, but no more.
This problem is exacerbated by the fact that the most popular WordPress security plugin (Wordfence) no longer has the ability to disable XML-RPC.
UPDATE: Wordfence has published a blog post in which they say they DO protect against these attacks.
If you are using Sucucri.net's Cloud Proxy Firewall then don't worry - You are protected against these attacks.
If however you are using Wordfence or some other security plugin that cannot disable XML-RPC then you should install one of the WordPress plugins designed specifically for this purpose. we are using Disable-XML-RPC.
Unfortunately, disabling XML-RPC can break things:
- WordPress.com's JetPack plugin using XML-RPC
- iPhone/iPad/Android apps for posting to your blog use XML-RPC
I'm sure there are other applications that use WordPress' XML-RPC facility as well. Frankly, I believe this problem is sufficiently serious that I recommend turning off XML-RPC anyway and stop using these XML-RPC-dependent apps and plugins.