This section explains how to prevent a brute force attack on XMLRPC.php in WordPress.
A brute force attack with XMLRPC in WordPress
XMLRPC is a feature that provides various remote control functions, such as WordPress submissions via xmlrpc.php in the top directory of WordPress.
However, this function can also be used in a brute force hacking attack to send various login passwords to see if they can be used to log in and determine the password.
For example, WPSCAN has a function that executes the function wp.getUsersBlogs via XMLRPC to find passwords that allow login.
The following is a sample code that calls this function in PHP.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://Wordpress URL/xmlrpc.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$content = array();
$params = array( 'username', 'password', $content);
$params = xmlrpc_encode_request('wp.getUsersBlogs', $params);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
$result = curl_exec($ch);
curl_close($ch);
echo ($result);
If the login ID and password are different, the output is as follows
XMLRPC is used to determine whether the login was successful or not and to determine the password by brute force.
Preventing XMLRPC Attacks
To prevent a brute force attack on XMLRPC, you can write code to disable access to xmlrpc.php in the HTACCESS file located in the top directory of WordPress.
# Block WordPress xmlrpc.php requestsorder deny,allow deny from all
You can also disable XMLRPC functionality by adding the following to your theme’s Functions.php.
Add_filter( 'xmlrpc_enabled', '__return_false' );
However, completely blocking XMLRPC may interfere with the use of WordPress applications and certain plugins.
In this case, it may be necessary to block a large number of accesses to xmlrpc.php during a specific period of time.
This function can be easily set up for free with the [Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal]. Please use it if you like.
