WordPress Sites Seeing Increased Malware, Brute Force Attacks This Week

A glut of Wordpress sites have fallen victim to both malware infections and a series of brute force attacks that have making the rounds over the past several days, researchers claim.

A glut of WordPress sites have fallen victim to both malware infections and a series of brute force attacks that have been making the rounds over the past several days, researchers claim.

According to Peter Gramantik, a malware researcher at Sucuri, highly obfuscated malware payloads have been targeting sites with out of date plugins and sloppy, weak passwords.

While the fact that malware is targeting outdated plugins and weak passwords isn’t particularly surprising, Gramantik claims what makes the attack interesting is the fact that the payload is being blindly injected. Bug-riddled PHP is apparently corrupting legitimate WordPress files, along with theme and plugin files that belong to the popular content management system.

The errors are prompting a series of PHP warnings, like the one below, which pop up in normal site content according to the firm.

Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91

Sucuri claims the only way it knows how to fix the infected files is to restore the files from backup after the malware has been removed.

This week has also seen a series of brute force attacks wreaking havoc on WordPress sites, according to researchers at the SANS Institute.

The attacks appear to target XMLRPC.php, the same PHP library that was leveraged to cause a large-scale distributed denial of service attack on tens of thousands of WordPress sites earlier this year.

SANS incident handler Daniel Wesemann warned Tuesday that some Internet Storm Center readers have been experiencing a scourge of attacks on their sites.

The attacks specifically use the wp.getUsersBlogs function of XMLRPC to send out brute force password guessing attacks. Code posted by Wesemann on the InfoSec Handlers Diary Blog clearly shows requests trying to guess passwords (admin, admin123) on a targeted WordPress installation.


(Image via Robert Paprocki, cryptobells.com)

Weseman goes on to point out that looking at the simple HTTP web server logs isn’t the best indicator of these attacks as the requests are approved by the web server and the XML message that the server returns as a payload includes an anticipated ‘403 – Not Authorized’ message.

The post warns that using “traditional” modes of security protection, like the plugin BruteProtect, are actually less effective.

“Most of these add-ons tend to watch only wp_login.php and the associated wp_login_failed result, which does not trigger in the case of an XMLRPC login error.”

WordPress experts are encouraging users looking to avoid getting hit with brute force attacks like these to use a strong password, not to use a common username and follow the Hardening WordPress FAQ on WordPress.org.

Jan Reilink, a Netherlands-based system administrator, claimed he noticed a rash of HTTP POST requests using XMLRPC.PHP on WordPress earlier this month but it’s unclear if the requests he noticed, which came in the form of a much larger payload, are related to the XMLRPC.PHP DDoS attack Sucuri noticed in March.

The brute force attack campaign sounds similar to attacks initiated by the massive 90,000-strong WordPress botnet that reared its head last spring. Those attacks used a combination of “admin” as a user name, and a list of common passwords to break its way into systems.

Suggested articles


  • Anonymous on

    I too have been hit with this attack. More than 40 hours have passed and the attack is still going strong. I am getting about 5 hits/minute on xmlrpc.php. What is amazing is the number of IPs involved. I have been hit by about 3900 unique IPs till now, and about 8250 IPs including duplicate hits. Thankfully, the traffic isn't too much, so the server hasn't taken a beating.
  • Sam Hotchkiss on

    Hey Chris-- I'm the founder of BruteProtect, and I wanted to take a minute to respond to this. First off-- thank you for covering these issues. The more people know about security and vulnerabilities at play, the safer we'll all be. However-- the quote used above: “Most of these add-ons tend to watch only wp_login.php and the associated wp_login_failed result, which does not trigger in the case of an XMLRPC login error.” is incorrect. When XML-RPC authenticates a user (see class-wp-xmlrpc-server.php:182) it calls the "wp_authenticate" function. If you refer to that function (see pluggable.php:521), you can see that the wp_login_failed hook is called. Best, Sam
  • Anonymous on

    Hey Sam, Thanks for the comment. That particular quote is from the entry referenced on the SANS Diary blog. It looks like the link initially referenced (https://isc.sans.edu/forums/diary/WordPress+brute+force+attack+via+wpgetUsersBlogs/) has changed to https://isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427. I've updated the blog to reflect that. Thanks for the information. Chris
  • Swati on

    Hi I have been a victim of this attack and though I have been trying to get the attention of Happiness Engineer of wordpress there has been no response from him/her. Please let me know how much time will it take to restore the site, as my work is suffering,
  • RPF on

    Hi. Is wordpress down? I can't access my account. I keep getting this message: HTTP ERROR: 504. Thanks!!
    • Brian Donohue on

      Sorry I seemed to have missed this message on Friday. Wordpress is up for me now. Let me know if you have any issues moving forward.
  • Crystal on

    Last night I got a call from Florida, Jay. That might mean something to all you IT guys and gals. He wanted to rent my apartment and wondered if I preferred girls. I believe he was of Indian decent. Between yesterday (I just started working on my website again) and today, I have been re-cut off using my Firefox Browser link process and yes PHP and hiding the link has something to do with it... appears they were watching my activity, as one of the affliate products had posted this process. Voila, we once again are cut off from the knees.... I guess they wanted whoever is tracking us to know... That this land of milk and honey, is not going to do your bidding of overtaking the world, by moving in with the women... or something like that... course I could have it backwards, maybe the design is to rescue the women and thus, they will be obliged to share the commerce... if we ever get to creating commerce. Been a few years now, little gremlins seem to wish to ensure we never get there... personally I think it has something to do with the year you are born an whether you have a nice butt or not.
  • Mayo Mick on

    I have been a victim of this hack last week. Took my 3 sites down. Jetpack monitor did not pick up that the sites were down either. Thankfully have good backups and did not loose any data. Very annoying though.
    • Mayo Mick on

      Just to add, I keep all themes and plugins up to date.
  • she32 on

    Wordfence is helpful to me. I'm just using this free plug-in and it notifies me when someone tries to attack the site.
  • r109 on

    Anyone keep on ModSecurity? How about a security rule that bans the ip(s) that are spamming xmlrpc.php? I am currently seeing thousands of attempts from DDoS botnet brute forcing wp.getUsersBlogs by unloading a dictionary. Would love feedback, I'm not much of keen on ModSec rules.
  • r109 on

    There is a new brute force exploit for xmlrpc.php. Attackers are using XMLRPC API method wp.getUsersBlogs to brute force logins with dictionaries.
  • speedyk on

    I'm not technical enough to speak to some of the stuff here, but Wordfence can block whole networks with a couple of clicks, or if the network is too large, can block a range of IP's. I tend to do a 10-address spread at first, if they come back outside that range I do 0 to 255 on the last digits, if they still come back I do that on the next set. Wordfence will then show me how many subsequent attempts were made. An alpha hotel on AWS is still banging away from the same range after almost a year. Bad Behavior is also useful, it can be set up to work with a blacklist and its logs are quite informative. I will often C&P IP's from it and add them to the Wordfence list, often using a range plus or minus.
  • Smith on

    Ya, Most of wordpress plugin have some bug. so they are just uploading some unnecessary files to access the server so keep updating servers

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.