This post was contributed by . He is the founder of LittleBizzy, a managed WordPress hosting company, and a part-time blogger at CollegeTimes, where he gets into trouble exploring controversial issues. Two weeks ago, I announced that all current and future domains hosted at LittleBizzy would have XML-RPC permanently blocked due to the non-stop problems it was causing. In the announcement, we recommended that other WordPress users across the globe urgently consider blocking the technology on their own web servers as well. XML-RPC in WordPress Has a Troubled Past Days after the announcement, Daniel Cid, founder and CTO of Sucuri, and Mark Maunder, CEO of WordFence, confirmed the reports that a new type of Brute Force login attack was being carried out on a massive scale against WordPress sites around the world using XML-RPC. Apparently, hackers have wised up to the fact that wp-login.php is often well protected. Perhaps more shocking than this latest wave of attacks is that they are nothing new, as Sucuri previously reported a similar wave of attacks in July 2014. Let’s also not forget the wide-scale use of XML-RPC to perform DDoS attacks on WordPress websites reported by Incapsula in
Share This