You’ve probably heard the news already that WordPress websites are facing an XML-RPC Brute Force Amplification Attacks. But did you also know that Sucuri, iThemes and Wordfence already have you protected?
If you use Sucuri’s Website Application Firewall (WAF), the company has you covered:
Note that users of our WAF are already protected against this attack, so if you are on CloudProxy you are safe.
Similarly, the Wordfence Security Plugin has login protection that takes into account XML-RPC. Just remember to enable Login Security in the Wordfence Options.
Yes we do protect against brute force via XML-RPC and we have for some time now. We also protect against multiple attempts via a single XML-RPC call
Finally, the iThemes Security Plugin protects against XML-RPC Brute Force attacks (even the free version):
Brute Force Protection in iThemes Security just got more robust. Now when you enable Brute Force Protection this feature includes protection from XML-RPC attacks
Make sure your websites are protected!
Edit (16th October 2015): iThemes Security v5.1.0 and iThemes Security Pro v2.0.0 protect against the XML-RPC Brute Force Amplification Attacks.
New Feature: Added “Multiple Authentication Attempts per XML-RPC Request” setting to the WordPress Tweaks section. When this setting is set to “Block”, iThemes Security will block brute force login attacks against XML-RPC
Edit (15th October 2015): If you have Jetpack installed, the Protect Module also stops XML-RPC attacks.
According to iThemes, version 4.8.0 of iThemes Security WordPress plugin removed the malware scanning feature that relied on VirusTotal. It’s not iThemes fault; VirusTotal discontinued the service to all WordPress plugins. Well, darn.
iThemes suggests using VirusTotal’s URL scanner or Sucuri’s SiteCheck, both of which require you to scan each website manually. Sucuri also offers automated server-side scanning as part of their paid plans.
One other option that wasn’t mentioned by iThemes is the Sucuri Security WordPress Plugin which allows you to initiate a scan from your WordPress admin. The scan needs to be initiated manually though.