We will explain the method of brute force attack that tries to break through the administrator’s password through XMLRPC.php in WordPress and how to prevent it.

What is XMLRPC and how is XMLRPC used for brute force attacks?

XMLRPC provides a mechanism to update a site from a program by sending data such as post data directly to WordPress.

Such functions require WordPress authentication (login), so IDs and passwords must also be sent in order to use the functions.
If the ID and password submitted via XMLRPC do not match, WordPress will return an error.
Conversely, if a brute force hacker sends the ID and password to XMLRPC and no error is returned, it can be determined that it is the correct ID and password, and can be used in a brute force attack.

The code below is a sample of code that sends IDs and passwords to XMLRPC.
*Some of the code has been withheld due to the possibility of misuse. Please understand this.

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://wordpress URL/xmlrpc.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$content = array();
$params = array( 'userID', 'password', $content);
$params =*****;
*****;
$result = curl_exec($ch);
curl_close($ch);
echo ($result);

If the ‘user id’ and ‘password’ do not match, wordpress will return a response similar to the following

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>403</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string>Incorrect user name or password.</string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

If the ID password matches, wordpress will return the following data.

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <params>
    <param>
      <value>
      <array><data>
  <value><struct>
  <member><name>isAdmin</name><value><boolean>1</boolean></value></member>
  <member><name>url</name><value><string>http://wordpress URL/</string></value></member>
  <member><name>blogid</name><value><string>1</string></value></member>
  <member><name>blogName</name><value><string>Site name</string></value></member>
  <member><name>xmlrpc</name><value><string>http://wordpress URL/xmlrpc.php</string></value></member>
</struct></value>
</data></array>
      </value>
    </param>
  </params>
</methodResponse>

This difference makes it possible to mechanically determine if the ID and password match.

How to prevent brute force attacks by XMLRPC?

To completely stop XMLRPC.php, put the following in your theme’s functions.php

add_filter( 'xmlrpc_enabled', '__return_false' );

However, since XMLRPC is currently used by various plug-ins, it is not recommended to completely disable XMLRPC, as it may cause problems with the site.

There are security plug-ins that can prevent XMLRPC brute force attacks only.
Such plug-ins can also prevent XMLRPC brute force attacks.

Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

All-In-One Security (AIOS) – Security and Firewall

Related Posts:

  1. How to prevent a brute force attack on XMLRPC.php in WordPress
    This section explains how to prevent a brute force attack on XMLRPC.php in WordPress....
  2. What is a brute force attack, a brute force attempt to try and break through a WordPress user’s password?
    This section describes a brute force attack that tries and breaks through WordPress users’ passwords by brute force and how to deal with it....
  3. What is xmlrpc.php in WordPress, XMLRPC security and whether to stop using it
    WordPress includes a program called xmlrpc.php to control WordPress from the outside. In this article, I would like to write about this file and its security....
  4. Can converting a WordPress site to SSL (HTTPS) prevent hacking?
    We will explain whether or not hacking (tampering and malware infection) can be prevented if you convert your WordPress site to SSL (HTTPS)....
  5. Log-in-related security measures alone are not enough to prevent WordPress hacking
    We understand that many sites have installed various security plug-ins to prevent WordPress hacking, but some plug-ins are specialized for the login screen only. These plug-ins do not provide much protection against WordPress hacking. We will explain why....
  6. How to prevent hijacking of WordPress admin rights
    WordPress has been increasingly hijacked by hackers, resulting in loss of access to the site, becoming a stepping stone for spam mails, or being redirected to another overseas site. In this article, we will explain how to prevent WordPress hijackers from taking over your WordPress site by seizing administrator privileges. How do hackers take over WordPress? Once the administrator privileges...