The popularity of WordPress sites is obvious. Quicker development of feature rich websites with an intuitive easy-to-use CMS are some of the benefits. Of course, this does mean it’s become more of a target for attackers. Last week, Sucuri announced a new technique that attackers can use against WordPress sites. This technique allows them to speed up their brute force attacks against WordPress usernames and passwords.
The technique relies upon having WordPress’s XML-RPC feature active in order for the attack to work and recently the Nuttifox team have been correcting more hacked WordPress sites than ever before. Does this put us off using WordPress, not at all. It does however highlight the importance of setting up WordPress sites correctly and knowing how to protect yourself, which goes for any online application.
Most WordPress website users do not require the XML-RPC feature and if it is disabled your site is already protected. For those who require this feature to remain active, your site is vulnerable to this type of attack. Some plugins like Jetpack and WordPress Mobile App require XML-RPC to function.
Nuttifox recommend iThemes Security and iThemes Security Pro to block these attacks. The iThemes plugin is available for free from the WordPress plugins store and has an arsenal of protection methods to secure your WordPress website, including a recent update for this particular attack. We install and setup iThemes on all of our clients websites including this one.
If you want to take security and performance a step further, we also recommend Cloudflare. More on this later, but check it out!