XMLRPC or WP-Login: Which do Brute Force Attackers Prefer

At Wordfence we constantly analyze attack patterns to improve the protection our firewall and malware scan provides. We recently took a closer look at brute force attack targets, specifically XMLRPC and wp-login, to gain a deeper understanding of how attackers behave.

In WordPress, there are several ways to authenticate, or sign in to, your website. The two most common ways to authenticate are using the standard login page located at wp-login.php, and by using XMLRPC.

The XMLRPC method is usually used by applications like mobile apps to authenticate before you are able to perform privileged actions on the site.

We analyzed attack data over a 2 week period from January 16th until Janary 29th to determine which target attackers prefer to attack. Here are the results of our analysis.

Which Target Receives More Attacks?

XMLRPC brute force attack totals

During a two week period we saw almost exactly the same number of attacks on XMLRPC as wp-login. We saw a total of 106 million attacks on wp-login compared to 108 million attacks on XMLRPC.

This result surprised me because I assumed that attackers targeting XMLRPC would be more sophisticated or perhaps creative. But on reflection it takes about the same amount of effort to write an attack script or bot that brute force attacks either target. So this makes sense.

How Many Attackers Hit Both XMLRPC and WP-Login?

XMLRPC, wp-login and both compared as attack methods

The above graph shows the number of unique IP addresses per attack target. Note that this is not the number of attacks, but number of attackers counted as unique IP addresses we saw attacking.

While XMLRPC saw slightly more attacks, wp-login saw slightly more unique attackers, as you can see from the above column chart.

We saw 11,453 attackers only targeting XMLRPC. We saw 38,771 attackers only targeting wp-login. And we saw a whopping 224,461 unique IP addresses targeting both XMLRPC and wp-login.

Clearly most brute force attacks target both XMLRPC and wp-login.

Do Attackers in Different Countries Prefer XMLRPC or WP-Login?

XMLRPC and wp-login attacks by country

We analyzed attacks from the top attacking countries and saw an interesting trend. As you can see above, most of the attacks come from Russia and the USA is the second most prolific attacker.

What is interesting here is that the attacks originating in Russia have a strong preference for wp-login as a target. And attacks originating in the USA have the opposite preference. They seem to mostly target XMLRPC instead.

Digging Deeper into Brute Force Attacks originating in the USA

XMLRPC and wp-login brute force attacks by ISP

As you can see the majority of the total number of attacks originating in the USA come from which provides cloud computing services to developers. We saw a total of over 144 million attacks over two weeks originate from Amazon.

Most of these attacks were targeted at XMLRPC. What is surprising though is that they came from only 36 unique IP addresses hosted at Amazon. All but 3 of these IP addresses appear to be EC2 instances based on their reverse hostnames.

So what is happening here? I’m going to suggest two theories:

One possibility is that 36 servers at Amazon EC2 have been compromised and they have been used to launch a very rapid and wide-spread brute force attack during the past 2 weeks. That attack generated over 144 million failed login attempts across the sites we monitor.

An alternative theory is that a developer may be using EC2 to host an application that is trying to sign into WordPress websites using XMLRPC. The application may not handle bad user credentials correctly and may just keep retrying.

It may be a combination of both bad applications hosted at EC2 and compromised servers engaging in a large scale brute force attack.


The data in this post brings up the old debate about whether or not it’s a good idea to hide your login page. Unless you hide every login method on your site, attackers will still be able to brute force your website.

If you disable or move XMLRPC, you risk breaking various applications, including mobile applications, that rely on XMLRPC to do their job.

If you hide or move your login page, you are going to inconvenience or confuse your users, and XMLRPC is still an attack vector.

Other authentication methods will soon become available in WordPress via, for example, the WP REST API. These will also be exploited by attackers.

So the action we recommend is that you use a security product like Wordfence to intelligently block brute force attacks, no matter what they target. Wordfence counts brute force attacks across all authentication methods and blocks attackers if they violate security policy.

Wordfence can also help you enforce strong passwords and audit your passwords for strength.

We also track attacks across all the sites we protect and take earlier blocking action against known bad IP addresses that have attacked other websites.

As always I welcome your comments below and I’ll be around to join the discussion.

Mark Maunder – Wordfence Founder/CEO

Special thanks to Dan Moen who produced much of the data used in this post and to assistance from our team in analyzing the data.

The post XMLRPC or WP-Login: Which do Brute Force Attackers Prefer appeared first on Wordfence.


This Week’s Top 20 Attacked Themes and Who is Attacking Them

Today we’re publishing statistics on the attacks we are seeing on themes across the WordPress ecosystem. The Wordfence Firewall provides us with attack telemetry across a large number of sites that we protect. The data we’re sharing today is based on the following high level metrics:

  • An analysis of 15,949,826 total attacks across the past 7 days – from Monday August 1st to Monday August 8th (yesterday) on sites that Wordfence protects.
  • Attacks on 519,592 unique Wordfence customer websites.
  • Attacks originating from a total of 72,896 unique IPs. 

The “Theme Slug” below is a term used in WordPress parlance. It refers to the unique directory name that is created in the wp-content/themes/ directory for the theme when it is installed. This uniquely identifies themes in the WordPress ecosystem. To find out more about the theme, simply Google the ‘slug’.

The table shows the total attacks we recorded on that theme across all sites, the number of IPs that launched an attack on the theme and the number of unique sites that we recorded attacks for that targeted that theme. To be clear, that is not the number of sites actually running the theme. It’s simply the number of sites where someone tried to attack the theme, whether it was installed or not.

We explain why most of these themes are being attacked and what the “Bulk Disclosed” column means below the table.

Theme Slug Total attacks Unique IPs attacking Unique sites attacked Vulnerability Type Bulk Disclosed
churchope 172,782 2,055 63,115 LFI X
mTheme-Unus 163,644 2,303 90,803  LFI
lote27 135,948 1,922 60,638 LFI X
SMWF 121,725 1,466 85,228 LFI X
markant 118,962 1,399 83,418 LFI X
felis 118,437 1,431 81,800 LFI X
MichaelCanthony 114,503 1,389 79,059 LFI X
TheLoft 113,990 1,387 78,644 LFI X
parallelus-mingle 105,648 1,568 54,279  LFI
urbancity 96,810 1,678 56,952 LFI X
trinity 89,603 1,410 52,326 LFI X
authentic 82,692 1,817 37,312 LFI X
parallelus-salutation 73,025 1,628 35,886  LFI
elegance 68,928 1,009 21,726  LFI
awake 68,424 1,031 21,323  LFI
antioch 63,174 1,365 26,243 LFI X
modular 62,470 990 19,770 LFI
epic 53,903 925 17,400 LFI X
infocus 52,739 989 19,942  LFI
Newspapertimes_1 50,707 943 29,297  LFI


Who is attacking these themes?

Back in December, 2014 a researcher bulk disclosed a large number of WordPress theme vulnerabilities. The disclosure includes a script that targets a single site and tries to exploit vulnerabilities in a large number of themes. The vulnerabilities it tries to exploit are all file inclusion vulnerabilities.

In the comments at the top of the script that was disclosed, the researcher also includes an example of how to use the script with the powerful INURLBR scanner which he also wrote. This allows attackers and presumably other researchers to bulk find and exploit WordPress sites by trying to exploit the theme vulnerabilities disclosed.

This is the example included in the disclosure:

./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt 

   --comand-all "php exploit.php _TARGET_"

In the statistics we’ve released above, all the themes marked with an X are included in the bulk disclosure that was made and which included the inurlbr exploit example. So we think what is happening is that so called “script kiddies” (unsophisticated hackers) are grabbing the researcher’s original example from December 2014 and trying to exploit old vulnerabilities in themes.

All these exploits are being blocked by the Wordfence firewall. It’s also likely that many, possibly all of the themes have now fixed this vulnerability, although we recommend that if you use any of these themes you verify with your vendor that your current version contains no vulnerabilities.

The INURLBR scanner has evolved since it was first released in July 2014 into a powerful tool that allows attackers to bulk locate and exploit WordPress websites and sites using other CMSs. The scanner includes:

  • Support for a huge range of search engines to “Google dork” and find targets for attack.
  • Bulk exploiting of targets once found.
  • The ability to use proxies to hide where queries and exploits are coming from.
  • The ability to rotate proxies to constantly change IP.
  • Ability to hide behind Tor.
  • It can send vulnerable sites to an IRC channel, presumably for botnet integration.
  • It includes many other features like regex matching/extraction and more.

It’s possible that many users of INURLBR are using the original bulk disclosure to test INURLBR before launching more sophisticated attacks. That may explain why those original themes are dominating our top 20 list of exploited themes.

At Wordfence we constantly mine attack data to discover how to better protect our customers. Upgrade to Wordfence Premium today to receive real-time firewall rule updates, premium support and much more.

We encourage you to comment and share this data with the larger WordPress community.

The post This Week’s Top 20 Attacked Themes and Who is Attacking Them appeared first on Wordfence.