The XML-RPC vulnerability has the potential to increase the effectiveness of brute force attacks and make them more difficult to spot.
Hudson, FL (PRWEB) October 21, 2015
AHosting, a leading provider of WordPress hosting, has released a warning in the wake of the announcement of a serious brute force vulnerability impacting WordPress’ XML-RPC system. The vulnerability, first revealed by security researchers at Sucuri, leverages the WordPress XML-RPC system to launch a difficult-to-discover brute force attack against the popular content management system.
The optimal mitigation strategy is to disable WordPress’ XML-RPC functionality. If a WordPress site or its plugins require XML-RPC, a web application firewall, of which several are available for WordPress, is an effective alternative. Sites with sufficiently secure authentication credentials — long, random passwords with hard-to-guess usernames — should be relatively impervious to the attack.
Brute force attacks are among the simplest attacks that online criminals can use against websites. To discover valid authentication credentials, attackers attempt to log in using many different username-password combinations until they find one that works. In the case of the recently discovered vulnerability, instead of targeting the WordPress login page, the attackers use automated scripts that make requests to WordPress via the XML-RPC system’s “system.multicall” method.
“Brute force attacks are usually quite easy to spot and prevent. For properly secured sites they’re more of an inconvenience than a security risk,” commented Daniel Page, Director of Business Development at AHosting, Inc., “But the XML-RPC vulnerability has the potential to increase the effectiveness of brute force attacks and make them more difficult to spot.”
This brute force vector is particularly effective because the system.multicall method allows attackers to test hundreds of username-password combinations with each HTTP request, massively amplifying the effectiveness of the brute force process. Ordinarily, each HTTP request would only be able to attempt one combination, and multiple log-in requests are easily discovered and blocked with standard security tools.
AHosting, which is responsible for hosting hundreds of WordPress sites of all sizes, released this warning to raise awareness of the problem because, for the time being, it is unlikely to be mitigated by the usual process of updating.
AHosting is a managed web hosting provider with facilities in Orlando, FL, and Detroit, MI, owned and operated by AHosting, Inc., supplying hosting services that are truly beyond imagination. Since 2002, AHosting has established one of the web’s premier solutions for reseller web hosting, multiple IP hosting, dedicated servers, and VPS hosting. For more information, visit http://www.ahosting.net.