string(6) "SINGLE" array(64) { ["SERVER_SOFTWARE"]=> string(6) "Apache" ["REQUEST_URI"]=> string(66) "/wordpress-brute-force-amplification-and-how-to-protect-your-site/" ["USER"]=> string(11) "mortydomain" ["HOME"]=> string(17) "/home/mortydomain" ["SCRIPT_NAME"]=> string(10) "/index.php" ["QUERY_STRING"]=> string(0) "" ["REQUEST_METHOD"]=> string(3) "GET" ["SERVER_PROTOCOL"]=> string(8) "HTTP/2.0" ["GATEWAY_INTERFACE"]=> string(7) "CGI/1.1" ["REDIRECT_URL"]=> string(66) "/wordpress-brute-force-amplification-and-how-to-protect-your-site/" ["REMOTE_PORT"]=> string(5) "42919" ["SCRIPT_FILENAME"]=> string(59) "/home/mortydomain/public_html/domainme.alicorn.me/index.php" ["SERVER_ADMIN"]=> string(39) "webmaster@domainme.alicorn.me.domain.me" ["CONTEXT_DOCUMENT_ROOT"]=> string(49) "/home/mortydomain/public_html/domainme.alicorn.me" ["CONTEXT_PREFIX"]=> string(0) "" ["REQUEST_SCHEME"]=> string(5) "https" ["DOCUMENT_ROOT"]=> string(49) "/home/mortydomain/public_html/domainme.alicorn.me" ["REMOTE_ADDR"]=> string(12) "18.217.0.242" ["SERVER_PORT"]=> string(3) "443" ["SERVER_ADDR"]=> string(14) "68.178.203.220" ["SERVER_NAME"]=> string(19) "domainme.alicorn.me" ["SERVER_SIGNATURE"]=> string(0) "" ["PATH"]=> string(180) "/usr/local/jdk/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin:/opt/bin" ["HTTP_X_HTTPS"]=> string(1) "1" ["HTTP_HOST"]=> string(19) "domainme.alicorn.me" ["HTTP_COOKIE"]=> string(42) "PHPSESSID=1e041b06fc2601a2683e5803d70c8804" ["HTTP_REFERER"]=> string(92) "https://domainme.alicorn.me/wordpress-brute-force-amplification-and-how-to-protect-your-site" ["HTTP_ACCEPT_ENCODING"]=> string(23) "gzip, br, zstd, deflate" ["HTTP_USER_AGENT"]=> string(103) "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)" ["HTTP_ACCEPT"]=> string(3) "*/*" ["proxy-nokeepalive"]=> string(1) "1" ["H2_STREAM_TAG"]=> string(11) "484026-39-3" ["H2_STREAM_ID"]=> string(1) "3" ["H2_PUSHED_ON"]=> string(0) "" ["H2_PUSHED"]=> string(0) "" ["H2_PUSH"]=> string(3) "off" ["H2PUSH"]=> string(3) "off" ["HTTP2"]=> string(2) "on" ["SSL_TLS_SNI"]=> string(19) "domainme.alicorn.me" ["HTTPS"]=> string(2) "on" ["HTTP_AUTHORIZATION"]=> string(0) "" ["SCRIPT_URI"]=> string(93) "https://domainme.alicorn.me/wordpress-brute-force-amplification-and-how-to-protect-your-site/" ["SCRIPT_URL"]=> string(66) "/wordpress-brute-force-amplification-and-how-to-protect-your-site/" ["UNIQUE_ID"]=> string(27) "Z9PSRQ6n2aNzhwNeMpZRaAAAyw0" ["REDIRECT_STATUS"]=> string(3) "200" ["REDIRECT_H2_STREAM_TAG"]=> string(11) "484026-39-3" ["REDIRECT_H2_STREAM_ID"]=> string(1) "3" ["REDIRECT_H2_PUSHED_ON"]=> string(0) "" ["REDIRECT_H2_PUSHED"]=> string(0) "" ["REDIRECT_H2_PUSH"]=> string(3) "off" ["REDIRECT_H2PUSH"]=> string(3) "off" ["REDIRECT_HTTP2"]=> string(2) "on" ["REDIRECT_SSL_TLS_SNI"]=> string(19) "domainme.alicorn.me" ["REDIRECT_HTTPS"]=> string(2) "on" ["REDIRECT_HTTP_AUTHORIZATION"]=> string(0) "" ["REDIRECT_SCRIPT_URI"]=> string(93) "https://domainme.alicorn.me/wordpress-brute-force-amplification-and-how-to-protect-your-site/" ["REDIRECT_SCRIPT_URL"]=> string(66) "/wordpress-brute-force-amplification-and-how-to-protect-your-site/" ["REDIRECT_UNIQUE_ID"]=> string(27) "Z9PSRQ6n2aNzhwNeMpZRaAAAyw0" ["FCGI_ROLE"]=> string(9) "RESPONDER" ["PHP_SELF"]=> string(10) "/index.php" ["REQUEST_TIME_FLOAT"]=> float(1741935173.22686004638671875) ["REQUEST_TIME"]=> int(1741935173) ["argv"]=> array(0) { } ["argc"]=> int(0) } WordPress Brute-Force Amplification and How to Protect your Site - Domain.ME

WordPress Brute-Force Amplification and How to Protect your Site

3 min read,
Published Nov 5, 2015

Although WordPress has so far been most vulnerable through certain plugins of suspicious quality, new findings from Sucuri show that currently the biggest threat to the most popular CMS platforms, including WordPress and Drupal, is coming from Brute Force Amplification attacks.

Namely, it seems the WordPress xmlrpc.php file has yet again become the target of severe security breaches last week, which caused much noise in the communities of webmasters worldwide. This time, however, protecting your webpage is rather easy. But we’ll get to that later on.

First, let us see what XML-RPC really is and what it does.

What is XML-RPC?

XML-RPC, or xmlrpc.php file, is actually one of the simplest protocols for securely exchanging data between computers across the cyber world (securely being the key word here, right?). Jokes aside, the trick is that XML-RPC uses the system.multicall method that allows an application to execute multiple commands with only one HTTP request. This way XML-RPC enables remote platforms to interact with one another online, which basically means this WordPress xmlrpc.php file enables external applications to connect, transmit, and process data.

Now that you probably skimmed through all these technicalities, let’s see what exactly is going on with this new type of hacks.

Amplified Brute-Force Attacks

A “normal” or typical brute force attack includes machines which are trying to guess the username and password for a certain webpage and they do it one at a time. However, in an amplified brute force attack, the hackers are capable of guessing hundreds or thousands of combinations within a single request. This makes their breaching attempts all the more efficient and renders the protection equally difficult. When it comes to the XML-RPC protocol within WordPress, it is basically a communications bridge between a remote application (think WordPress mobile app, for instance) and the site itself. This is exactly where “the magic” happens. Which brings us to our next section:

How to Protect your Site

Perhaps the simplest and most practical way to protect your WP page from these malicious attacks is to use .htaccess to block hackers’ access to xmlrpc.php altogether. This is an easy-to-do solution that is at the same time thorough, reliable, and maintenance-free. Simply block xmlrpc.php via Order/Deny by typing in:

# protect xmlrpc
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

The great thing with .htaccess protection is that you can customize it in a way that you are able to selectively allow or deny access from specific IP addresses. You can also redirect all the blocked requests to a specific page. Pretty cool. However, if this is too much of a bother for your style, you can always get a suitable WP plugin and be done with it.

Jetpack Protect Plugin

Jetpack has a great module called Jetpack Protect (formerly known as BruteProtect), that does what it does best – protects sites from brute force attacks. Even Sam Hotchkiss, the main man of Jetpack Protect himself, officially confirmed via recent WordPress post that Jetpack Protect users are safe from brute force amplification attacks. What proof do you need more?

Now that you learned how to stay protected from these newest security breaches, maybe you’d like to check out these cool WordPress Layout and Styling Tips. It is never too late or too early to make your page look stylish.

Sarah Green

Content Writer, Freelancer


Notice: ob_end_flush(): Failed to send buffer of zlib output compression (0) in /home/mortydomain/public_html/domainme.alicorn.me/wp-includes/functions.php on line 5464