WordPress 4.3.1 – Protecting the RPC interface against brute forcing bypassing request rate limits

Via a Tweet, I came across a brand-new quite nifty little Proof-of-Concept WordPress brute force helper tool (nice sentence, right?): “wpbrute-rpc” on Github.

The script takes on a particular vulnerability allowing an attacker to bypass web server rate limits. Instead of the attacker sending one query with a one password, the script sends one query with 500 passwords via xmlrpc API.

IMPORTANT: I have not personally tested if this method really works with WordPress 4.3.1 (18 Oct 2015), but indeed it’s better to be safe than sorry. And after all, it’s always a good time to review the security state of one’s installation. So let’s disable access to the RPC interface, which is obviously not a good idea if the RPC interface is in use.

IMPORTANT: When the RPC interface is open, there is no reason for panic. Supposing all accounts are protected using passwords following modern rules. Just be sure to have all users using secure passes.

 

To check if you RPC URL is accessible, type the following in your browser address bar:

    http://www.yourblog.tld/xmlrpc.php

Receiving…

    XML-RPC server accepts POST requests only.

…means that the RPC interface is accessible.

This 403 message would be the desired message:

    Forbidden
    You don't have permission to access /xmlrpc.php on this server.

 

There are various ways to disable access to the RPC interface.

1) The easiest is to install a plug-in that disables access to this file. There may be multiple options. One would be “All In One WP Security” (>4.0.1), having the file system protection activated. At the time of writing, “Wordfence” (free version) did not block the request.

2) The second possibility is disabling access using the .htaccess file, if you are running WordPress on an Apache server.

The file is generally located in the WordPress home directory, and, disclaimer, you do this modification at your own risk :)

Adding the following rule should disable access:

<Files xmlrpc.php>
   order deny,allow
   deny from all
</Files>

Be sure to test the xmlrpc.php file access and the rest of your web site.

 

Hereafter, an example .htaccess file. There is no pretension of this file being complete and provide total security for your WordPress installation. It shows one possible list of options. Feel free to suggest additions or improvements. :)

## Make sure nobody gets the htaccess files:
<Files ~ "^[\._]ht">
     Order allow,deny
     Deny from all
     Satisfy All
</Files>

 ## And protect various other files too:
<Files ~ "Settings.php">
     Order allow,deny
     Deny from all
     Satisfy All
</Files>
<files wp-config.php>
   order allow,deny
   deny from all
</files>
<Files wp-config-sample.php>
   order allow,deny
   deny from all
</Files>
<Files readme.html>
   order allow,deny
   deny from all
</Files>
<Files wp-config.php>
   order allow,deny
   deny from all
</Files>
<Files xmlrpc.php>
   order deny,allow
   deny from all
</Files>

ServerSignature Off
SetEnv REGISTER_GLOBALS 0

# Here you can explicitly block IP addresses 
order allow,deny
deny from 78.154.105.23

allow from all

Leave a Reply

Your email address will not be published. Required fields are marked *