Security Update: now blocking XML-RPC

Security Update: now blocking XML-RPC
October 10, 2015 GB

Due to recent developments in brute-force hacking attempts using WordPress XML-RPC, we have implemented a new security measure to protect our customers.

The Sucuri Security blog post, Brute Force Amplification Attacks Against WordPress XMLRPC explains this issue very well, so we urge you to have a read if you would like to know more about this.

Some background: What is XML-RPC

WordPress includes a feature called XML-RPC (XML Remote Procedure Call) which is an open standard (i.e. not specific to WordPress) which allows remote systems and applications to communicate and interact with it. One of the most common uses of WordPress’ XML-RPC feature is the JetPack plugin. The WordPress mobile apps also use XML-RPC to communicate with your site. There are other apps and services that also leverage WordPress XML-RPC, but they’re relatively uncommon.

XML-RPC Brute-Force Amplification Attacks

Unfortunately, there are some nasty people out there who would like to hack your site and XML-RPC is just one avenue that they frequently try to exploit. This is not new, XML-RPC attacks have been around for quite some time, however what is new is the huge increase in volume of XML-RPC attacks and also a new method they are using, hence the term “amplification”. Unlike a regular DOS (Denial Of Service) attack where many requests are sent to the server, each time trying a new username / password combination, these new XML-RPC attacks can include 100s (or even 1000s!) of username / password attempts in a single request to your site. Ouch.

Over the last several days, WP NET’s servers have been increasingly targeted with exactly these kinds of attacks.

Our Response

Here at WP NET we have been carefully researching this issue and following developments, and — unfortunately — these malicious users have forced our hand. So — effective immediately — we have implemented new firewall rules that will block any IP address that attempts to access WordPress’ XML-RPC.

A few things to note:

  1. JetPack should still be able to connect to your site, but please do let us know if you experience any issues. Whilst we can’t promise that all JetPack features will work, we hope that most functions will continue to work as expected.
  2. If the nature of these attacks changes over time, we may need to completely block JetPack.
  3. The WordPress mobile apps will not be able to connect to your sites.
  4. Many WP NET customers already have XML-RPC disabled by way of a WordPress plugin (most commonly, the iThemes Security plugin) or .htaccess rules. These will not interfere with our firewall rules (or vice versa). We recommend that you leave any measures you already have in place as they are.

While this is not a 100% perfect solution, and it does come with some drawbacks – we feel that it is necessary to do this (at least temporarily) to ensure the continued smooth operation of our servers and to protect our users and hosting systems from possible compromise.

If you are a WP NET customer and you have any questions or concerns regarding this, please do not hesitate to contact WP NET Support.