Security Advisory: Brute Force Amplification Attacks Against WordPress
Attackers are exploiting one of the hidden features of XML-RPC - using the system.multicall method to execute multiple Brute Force attempts inside a single post request. Instead of targeting wp-login.php directly, the user is circumventing the system by targeting methods within the very popular XML-RPC. This attack is amplifying the Brute Force attempts in very high orders of magnitude, and disguising the attempts in a technique that makes it very difficult to identify and mitigate. By leveraging the system.multicall method within XML-RPC the attacker is able to hide 100's / 1,000's of passwords within a single HTTP / HTTPS request. If you can't block XML-RPC, we advise you to leverage a Website Application Firewall (WAF) and verify you can strip requests targeting the system.multicall method.
This email does not mean you are affected!
Being proactive in the protection of your site is of one of the most important aspects of having a solid security posture. Therefore, we feel it's important to research and report on all potential threats as quickly as possible.
Why this attack matters... None of the security plugins designed to stop Brute Force attacks are blocking it. We cannot stress the importance of good access control management such as creation and management of strong passwords.