wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability

After the holiday weekend, one of the larger sites I manage had a brute force attack on it. The attacker was attempting to use the wp.getUsersBlogs function and a list of popular usernames and passwords. A quick bit of research shows me that after a successful attempt this function will return whether or not the user is an admin.

I use the IP Blacklist Cloud Plugin as part of my security so it logged the attack, but because this attack method doesn’t use the normal login method no actual blacklisting happens. Which isn’t likely to help anyway, because after every single attempt the attacker used a new IP (totaling over 15000 IPs so far)(20,000+ for a second attack).

I did find a plugin that completely disables the XML-RPC (API), but I’m not sure that won’t cause other problems. This is a live website for a local municipality, so I cannot afford to experiment very much.

here is an example of what got logged in IP Blacklist Cloud:

“1.0” encoding=”iso-8859-1″?>wp.getUsersBlogsusernamepassword

Where usernamepassword will be replaced by something from a giant list of popular usernames and passwords.

The attack seems to be gaining popularity, so I hope that spawns some more solutions.

Update 20140728:

One more site of mine played victim to this attack over the weekend. So far strong passwords have kept me safe, but others may not be so lucky. I am trying the above mentioned solution as it seems to be the best one I have found yet.

Links to more research:

API for WordPress XML RPC

Least intrusive solution so far

WordPress Support forum

Solutions Collecting From Web of "wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability"

This is the most specific solution I could find as it disables only the single function being attacked.


function Remove_Unneeded_XMLRPC( $methods ) {
    unset( $methods['wp.getUsersBlogs'] );
    return $methods;
add_filter( 'xmlrpc_methods', 'Remove_Unneeded_XMLRPC' );

found this at: http://www.cryptobells.com/more-wordpress-xmlrpc-brute-force-attacks/

For a broader solution there is a WordPress plugin called “Disable XML-RPC” which does precisely that, disables the entire XML-RPC functionality.

I have same issue for hacking my wordpress websites.
Then i have create new user for administrator access and delete default admin user.
Then i have installed below plugin and do it’s required setting.
iThemes Security

Let me know if you have any query.