AHosting, a provider of WordPress web hosting, has released a warning in the wake of the announcement of a serious brute force vulnerability impacting WordPress’ XML-RPC system. The vulnerability, first revealed by security researchers at Sucuri, would leverage the WordPress XML-RPC system to launch a difficult-to-discover brute force attack against the popular content management system.
The optimal mitigation strategy is to disable WordPress’ XML-RPC functionality, according to web hosting provider AHosting. If a WordPress site or its plugins require XML-RPC, a web application firewall, of which several are available for WordPress, is an effective alternative. Sites with sufficiently secure authentication credentials – long, random passwords with hard-to-guess usernames – should be relatively impervious to the attack.
Brute force attacks are among the simplest attacks that online criminals can use against websites. To discover valid authentication credentials, attackers attempt to log in using many different username-password combinations until they find one that works. In the case of the recently discovered vulnerability, instead of targeting the WordPress login page, the attackers use automated scripts that make requests to WordPress via the XML-RPC system’s “system.multicall” method.
“Brute force attacks are usually quite easy to spot and prevent. For properly secured sites they’re more of an inconvenience than a security risk,” said Daniel Page, Director of Business Development at web hosting provider, AHosting. “But the XML-RPC vulnerability has the potential to increase the effectiveness of brute force attacks and make them more difficult to spot.”
This brute force vector is particularly effective because the system.multicall method allows attackers to test hundreds of username-password combinations with each HTTP request, massively amplifying the effectiveness of the brute force process. Ordinarily, each HTTP request would only be able to attempt one combination, and multiple log-in requests are easily discovered and blocked with standard security tools.
Web hosting provider AHosting, which is responsible for hosting hundreds of WordPress sites of all sizes, released this warning to raise awareness of the problem because, for the time being, it is unlikely to be mitigated by the usual process of updating. AHosting is a managed web hosting provider with facilities in Orlando, FL, and Detroit, MI.