Dealing with xml-rpc Attacks or Has Abdull Karem Visited Your Website?
How do hackers get into your website?
One of the most common forms of attack onto any website is to simple try brute force and try to guess your password. Now someone could do this themselves or they could write a piece of code to attempt to access your site multiple times trying hundreds of different passwords. Using a piece of software to attempt to force their way into your site however can be very obvious and you will see their attacks in the logs for your site with many hundreds of attempted logins. However what if they could make one visit and use several hundred possible passwords to try to break into your site, would you notice a single visit in your analytics or even 20, 50 or 100?
One of the features of php XML RPC is that it can use what is called the system.multicall method which allows it to make multiple actions all within just a single request. Being able to make multiple commands within a single HTTP request can be very useful for your site but it is also something that the hackers can utilize to their advantage. While most hackers would just target your wp-login.php they are now looking to leverage the abilities of your XML-RPC system,multicall to make many hundreds of different password guesses with just one single HTTP request which you may never notice. So the use of XML-RPC attack methods could see your site subjected to literally thousands of password attempts with just a few methods.
Stopping normal brute force attacks on your site
One of the things with most brute force attacks is that they come with many hundreds of visits from specific IP addresses or ranges of addresses and may even be from a specific address with easily identifiable text within them such as “AbdullKareem” which seems to feature heavily in a lot of visits that many sites on WordPress have been receiving. Once you have seen repeating patterns you can block these bots through the use of your .htaccess files or if you are not up to editing this file then you can use the WP-Ban plugin which allows you to prevent access to your site by specific addresses and IP ranges.
Preventing XML-RPC attack
While you could use the above method to block the person responsible for the XML-RPC attack you do not always notice that you are under attack due to the very low number of visits that you will receive. So you could already be hacked before you have any idea that someone was trying to get in.
Now it is possible to have a blanket ban on access to your XML-RPC through your .htaccess file however there are plugins and other utilities that need to use your XML-RPC such as Jetpack and by preventing access you will also prevent these from working. However if you are not using Jetpack or other plugins that require access then this is by far the best method to protect yourself from XML-RPC attack through this php vulnerability.
There is however now a plugin called “Stop XML-RPC attack” that you can install that will prevent access to your xmlrpc.php file through .htaccess but will still allow Jetpack to function normally. We’ve also prepared some tips you might want to follow to secure your php version.