WordPress XML-RPC Brute Force

Password : blackos.net

This is an exploit for WordPress xmlrpc.php System Multicall function affecting the most current version of WordPress (3.5.1). The exploit works by sending 1,000+ auth attempts per request to xmlrpc.php in order to “bruteforce” valid WordPress users and will iterate through whole wordlists until a valid user response is acquired. It will then selectively acquire and display the valid username and password to login.

WordPress XMLRPC brute force attacks via BurpSuite

Hello to everyone, my name is Lara and this is my first post, I wish you will enjoy and it will be helpful. 🙂

Nowadays brute force attacks are very common on the internet on servers and applications. Probably if you have a server online you are able to see this kind of attacks through your server logs. The most common attack surfaces are ssh service, web server or could be via authentication form on your web page (application based attack).

WordPress is a well-known CMS (Content Management System), brute force attacks against it are very common and usually attackers use the authentication form, however, is not the only way that the malicious guys can do it.

What is XML-RPC interface?

“It’s a specification and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet.
It’s remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned.”

XML-RPC functionality is turned on by default since WordPress 3.5, but not all the WordPress administrators know this functionality and this utility, because of this, they do not protect properly the XML-RPC interface.

Ok, then, the question is, why WordPress uses this interface?

Basically, WordPress uses this interface to post directly to your blog using weblog clients or email apps and for the pingback and trackback functionality.

There are a lot of plugins in WordPress that you can use to prevent brute force attacks through the login form, but to avoid this kind of attack through XML-RPC interface is a bit more complicated. To do so, you need to modify the .htaccess file and disable the XML-RPC interface (if you don’t want to use it).

In this article, I am going to cover how to perform brute force attacks against WordPress XML-RPC interface.

Brute force attack.

There are two types of brute force attack that we can do against XML-RPC interface.

– Simple brute force attack : You can try in each request one user and one password
– Amplification brute force attack available till version 3.5.1 of WordPress: You can try in each request more than one user and password.

The attack (Simple brute force attack )

To check if the XML-RPC interface is enabled in the WordPress you can use the following URL:

– http://url/xmlrpc.php

If you can see this in your browser means that the xmlrpc.php interface is enabled.


This script is a PoC for the “Brute Force Amplification Attack” exploit against XMLRPC interfaces enabling the system.multicall()method (enabled by default).

The system.multicall() method allows multiple calls to be sent within a single HTTP request. Using this “wrapper”, malicious attackers can carry out a large number of login attempts (bruteforce) with a minimal network impact, consequently making them stealthier and more efficient.

At the moment, the maximum number of calls which can be encapsulated within the system.multicall() method without triggering a networking error is 1999 calls meaning that for each HTTP request sent 1999 different login attempts are performed.