Potential WordPress login Exploit (via XML-RPC)
|This post has been submitted by Webcomics.com member JJ Sandee, creator of Cult of Bob.|
A recent exploit for WordPress has been going around that you should at the very least be aware of. Now it’s not an exploit in the sense that someone can gain access to your website through some backdoor, it’s more that because of the way a part of WordPress is built, doing a brute force is made easier.
The short version: If you have a plugin that limits repeated logins, you’re pretty much safe.
Read on to understand the details.
Brute Force Attack
A brute force attack means that someone just keeps trying username and password combinations until they gain access. Since we’re dealing with computers this means this can be automated. Which is always the case. Automated scripts will simply constantly attempt to log in to your website until they’re logged in.
The XML-RPC protocol is basically a system that is part of WordPress that allows editing content on the site without using the normal admin. Examples of this are the Mobile App, and certain other tools that let your edit content. There are plugins that use this system to read and write data for both convenience and security, since it requires logging in to get at the data.
The basis of the exploit
The basic idea of the exploit is that XML-RPC allows multiple concurrent logins at once. The attack sends WordPress multiple names and passwords to try and log in. This is far more efficient than constantly reloading the login page. These scripts will either use commonly used usernames and passwords, or go through a list of farmed logins and passwords. Depending on what is available.
Unless you are a very high profile website, the primary reason to hack your site is to infect it with malware with the express purpose of further infecting other computers. These infected computers will then go on the hack or infect other computers. The general term for this is a Botnet (network of robots) and they tend to run entirely automated once started.
One way is to turn off XML-RPC but this can break your site as various plugins might rely on it. A better method, and this has already been discussed in previous security related posts, is to limit the number of logins using a plugin such as Wordfence. (note: I am not affiliated with this plugin, merely pointing it out as being good) The login function goes through the same system regardless of using XML-RPC or the login page. So any limiter will block multiple login attempts.
Because WordPress is used so widely, it’s a popular target to spread malware. Stuff like this will pop up regularly, but because it has such a large community, updates are quickly released to combat these issues. It’s important to be vigilant of updates, and potential threats as they pop up.