Malware removal company Sucuri noticed a massive spike in WordPress malware “visitorTracker_isMob” in the last two weeks. The purpose of the malware is to gain access to as many computers as possible via infected websites. At the same time, they’ve noticed a spike in brute force attacks; a particularly insidious kind, where the people attacking your site aren’t restricted by a limited number of login attempts before being locked out. As described by Sucuri, this is how they work:
Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging thesystem.multicall method to attempt to guess hundreds of passwords within just one HTTP request.
In other words – rather than getting three guesses before being locked out, they’re getting a hundred times three. This particular type of attack is called Brute Force Amplification.
So how can you protect yourself against brute force amplification attacks, and in turn, from increasingly common malware?
Sucuri suggests that you block all access to xmlrpc.php – this does break some applications’ functionality, primarily JetPack. They also suggest blocking system.multicall requests. They’re hardly ever used and this will protect you against these amplification methods.