Common WordPress attacks
There are two files commonly used for WordPress brute force attacks: xmlrpc.php and wp-login.php. This article will detail how to find evidence of an attack.
Attacks on xmlrpc.php
What is XML-RPC?XML-RPC (xmlrpc.php) allows remote updates to WordPress from other applications. This is no longer necessary with current versions of WordPress and leaving it enabled leaves your site vunerable. It is common to find brute force attacks using this file.
How can I tell if I'm being attacked?If you find multiple access attempts from the same IP in a short amount of time, it may indicate an attack.
In the example below, IP 12.34.56.789 has tried to access the xmlrpc.php page several times at once (10/Sep/2022:05:12:02):
acoolexample.com-ssl_log:12.34.56.789 - - [10/Sep/2022:05:12:02 -0700] "POST //xmlrpc.php HTTP/1.1" 200 438 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" acoolexample.com-ssl_log:12.34.56.789 - - [10/Sep/2022:05:12:02 -0700] "POST //xmlrpc.php HTTP/1.1" 200 438 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" acoolexample.com-ssl_log:12.34.56.789 - - [10/Sep/2022:05:12:02 -0700] "POST //xmlrpc.php HTTP/1.1" 200 438 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" acoolexample.com-ssl_log:12.34.56.789 - - [10/Sep/2022:05:12:02 -0700] "POST //xmlrpc.php HTTP/1.1" 200 438 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"
Attacks on wp-login.php (wp-admin).
Attackers will often use bots that will try dozens if not hundreds of connections at once to gain access to your wp-admin panel.
How can I tell if I'm being attacked?If you find multiple access attempts from the same IP in a short amount of time, it may indicate an attack. Authorized users having trouble remembering their password will typically show a few minutes between attempts.
In the example below, IP 12.34.56.789 has tried to access the wp-login.php page several times at once (10/Sep/2022:08:39:15):
acoolexample.com-ssl_log:12.34.56.789 - - [10/Sep/2022:08:39:15 -0700] "POST /wp-login.php HTTP/1.1" 200 70760 "https://www.acoolexample.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" acoolexample.com-ssl_log:12.34.56.789 - - [10/Sep/2022:08:39:15 -0700] "POST /wp-login.php HTTP/1.1" 200 70760 "https://www.acoolexample.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" acoolexample.com-ssl_log:12.34.56.789 - - [10/Sep/2022:08:39:15 -0700] "POST /wp-login.php HTTP/1.1" 200 70760 "https://www.acoolexample.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
Next Steps
- Check the ownership of the IP using a whois search. If the IP is from China and you have no customers/visitors from China, it might be malicious. If the IP belongs to (for example) Cloudflare, it's unlikely to be malicious.
- Block the attack.