15
Feb

Brute Force Attacks

XMLRPC or WP-Login: Brute Force Attacks Prefer

Brute Force AttacksThis entry was posted in Research, Wordfence, WordPress Security on January 31, 2017 by Mark Maunder   54 Replies

At Wordfence we constantly analyze patterns of brute force attacks to improve the protection our firewall and malware scan provides. We recently took a closer look at brute force attack targets, specifically XMLRPC and wp-login, to gain a deeper understanding of how attackers behave.

In WordPress, there are several ways to authenticate, or sign in to, your website. The two most common ways to authenticate are using the standard login page located at wp-login.php, and by using XMLRPC.

The XMLRPC method is usually used by applications like mobile apps to authenticate before you are able to perform privileged actions on the site.

We analyzed brute force attack data over a 2 week period from January 16th until January 29th to determine which target attackers prefer to attack. Here are the results of our analysis.

Which Target Receives More Brute Force Attacks?

XMLRPC brute force attack totals

During a two week period we saw almost exactly the same number of attacks on XMLRPC as wp-login. We saw a total of 106 million attacks on wp-login compared to 108 million attacks on XMLRPC.

This result surprised me because I assumed that attackers targeting XMLRPC would be more sophisticated or perhaps creative. But on reflection it takes about the same amount of effort to write an attack script or bot that brute force attacks either target. So this makes sense.

How Many Attackers Hit Both XMLRPC and WP-Login?

XMLRPC, wp-login and both compared as attack methods

The above graph shows the number of unique IP addresses per attack target. Note that this is not the number of attacks, but number of attackers counted as unique IP addresses we saw attacking.

While XMLRPC saw slightly more attacks, wp-login saw slightly more unique attackers, as you can see from the above column chart.

We saw 11,453 attackers only targeting XMLRPC. We saw 38,771 attackers only targeting wp-login. And we saw a whopping 224,461 unique IP addresses targeting both XMLRPC and wp-login.

Clearly most brute force attacks target both XMLRPC and wp-login.

Do Attackers in Different Countries Prefer XMLRPC or WP-Login?

XMLRPC and wp-login attacks by country

We analyzed brute force attacks from the top attacking countries and saw an interesting trend. As you can see above, most of the brute force attacks come from Russia and the USA is the second most prolific attacker.

What is interesting here is that the attacks originating in Russia have a strong preference for wp-login as a target. And attacks originating in the USA have the opposite preference. They seem to mostly target XMLRPC instead.

Digging Deeper into Brute Force Attacks originating in the USA

XMLRPC and wp-login brute force attacks by ISP

As you can see the majority of the total number of attacks originating in the USA come from Amazon.com which provides cloud computing services to developers. We saw a total of over 144 million attacks over two weeks originate from Amazon.

Most of these brute force attacks were targeted at XMLRPC. What is surprising though is that they came from only 36 unique IP addresses hosted at Amazon. All but 3 of these IP addresses appear to be EC2 instances based on their reverse hostnames.

So what is happening here? I’m going to suggest two theories:

One possibility is that 36 servers at Amazon EC2 have been compromised and they have been used to launch a very rapid and wide-spread brute force attack during the past 2 weeks. That attack generated over 144 million failed login attempts across the sites we monitor.

An alternative theory is that a developer may be using EC2 to host an application that is trying to sign into WordPress websites using XMLRPC. The application may not handle bad user credentials correctly and may just keep retrying.

It may be a combination of both bad applications hosted at EC2 and compromised servers engaging in a large scale brute force attack.

Conclusion

The data in this post brings up the old debate about whether or not it’s a good idea to hide your login page. Unless you hide every login method on your site, attackers will still be able to brute force your website.

If you disable or move XMLRPC, you risk breaking various applications, including mobile applications, that rely on XMLRPC to do their job.

If you hide or move your login page, you are going to inconvenience or confuse your users, and XMLRPC is still an attack vector.

Other authentication methods will soon become available in WordPress via, for example, the WP REST API. These will also be exploited by attackers.

So the action we recommend is that you use a security product like Wordfence to intelligently block brute force attacks, no matter what they target. Wordfence counts brute force attacks across all authentication methods and blocks attackers if they violate security policy.

Wordfence can also help you enforce strong passwords and audit your passwords for strength.

We also track brute force attacks across all the sites we protect and take earlier blocking action against known bad IP addresses that have attacked other websites.

As always I welcome your comments below and I’ll be around to join the discussion.

Mark Maunder – Wordfence Founder/CEO

Special thanks to Dan Moen who produced much of the data used in this post and to assistance from our team in analyzing the data.