Brute forcing xmlrpc.php

  • Resolved Rob Cubbon

    (@robcub)


    8 years, 10 months ago

    It says on your blog that brute forcing xmlrpc.php attacks “are completely ineffective if you’re using Wordfence because we simply block the attacker after they reach the login attempt limit”.

    However, it may be possible for attackers to leverage the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request on xmlrpc.php. Is that true? In which case, the limit to login attempts may not be as effective.

    Does your plugin block system.multicall requests to xmlrpc.php ?

    I don’t use Jetpack or anything that uses xmlrpc.php – do you recommend users such as myself to block access to xmlrpc.php in the .htaccess ?

Viewing 1 replies (of 1 total)
  • wfyann

    (@wfyann)

    8 years, 10 months ago

    Hi @robcub,

    Yes, Wordfence does protect against multiple attempts via a single XML-RPC call. This post on our blog discusses the XML-RPC Brute Force Attacks with multiple logins.

    Please note that for this to work, the login security option must be enabled.

Viewing 1 replies (of 1 total)

The topic ‘Brute forcing xmlrpc.php’ is closed to new replies.