XML-RPC brute force amplification attack Cure

This plugin mitigates the risks associate with the XML-RPC amplification brute force attack that was reported by sucuri.

In a nutshell, the attack utilizes a fault in the definition of the part of the XML-RPC protocol that lets a client aggregate several requests into one (the multicall method). Instead of having one authentication for the whole request it assume that each “sub request”will carry the authentication information required just for that specific operation. This allows for a brute force attacker to instead of sending one request at a time with user and password, to send tens or even more request with different sets of user/password combination, reducing the time needed to check them by a factor.

The solution is actually very simple, do not let an XML-RPC session authenticate more than one user. Once one authentication was carried out, successful or not, any additional authentication will be denied.

Are there any possible bad side affect to using the plugin? I assume that while it does violate the protocol, there are no real life tools utilizing the protocol that are trying to send one request that contains operations that need to be performed in the context of two different users. Most tools that utilize the XML-RPC protocol in the wordpress world are remote publishing apps like the windows live writer, or the wordpress android and iphone apps, which work against only one user at a time.


Works with WordPress versions 3.5 or later.

Can be used in a network as a network activated plugin or dropped in mu-pluggins.


Leave a Reply

Your email address will not be published. Required fields are marked *

Comment policy

We are not going to share your e-mail with anyone else, but we might send you answers to your questions directly to your email.