Online security company Sucuri have posted a recent and rising cluster of brute force amplification security attacks against sites which use the WordPress content management system – 58.7% of all CMS-based websites, and 24% of all websites of any kind. BFA attacks put a new spin on traditional brute force attacks by wrapping multiple login attempts inside one dictionary-guessed login attempt using the XML-RPC protocol specification.
Another WordPress security company, WordFence, has just added an article the pros and cons of disabling XML-RPC on your WordPress web site.
XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments