Feature request: Add support for XMLRPC attacks

Did a quickfix myself if anyone needs the same functionlity.. Note that this is very ugly and “hacky” but works to block xmlrpc hack attempts if they use blacklisted users. Also changed to permanent block as there was no option for this in the settings.

In wordfence/lib/wordfenceClass.php, method authenticateFilter(), line 982:

Changed from:

if($blacklist = wfConfig::get('loginSec_userBlacklist')){
					$users = explode(',', $blacklist);
					foreach($users as $user){
						if(strtolower($_POST['log']) == strtolower($user)){
							self::getLog()->blockIP($IP, "Blocked by login security setting.");
							$secsToGo = wfConfig::get('blockedTime');
							self::getLog()->do503($secsToGo, "Blocked by login security setting.");
							break;
						}
					}
				}

to

if($blacklist = wfConfig::get('loginSec_userBlacklist')){
					if($_SERVER['REQUEST_URI'] == '/xmlrpc.php') {
						$xml = @file_get_contents("php://input");
						$startPos = strpos($xml, "<param><value>");
						if($startPos !== false) {
							$startPos += 14; // length of searchstring
							$endPos = strpos($xml, "</value>", $startPos);
							$len = $endPos - $startPos;
							$username = substr($xml, $startPos, $len);
						} else $username = "";
					} else {
						$username = $_POST['log'];
					}
					$users = explode(',', $blacklist);
					foreach($users as $user){
						if(strtolower($username) == strtolower($user)){
							self::getLog()->blockIP($IP, "Blocked by login security setting.",false,true); // Permanent block
							$secsToGo = wfConfig::get('blockedTime');
							self::getLog()->do503($secsToGo, "Blocked by login security setting.");
							break;
						}
					}
				}

Hope it helps someone.

Thank you for the suggestion. I will pass it along to the developers.

Thanks for the contribution Stingray!
I’m not going to change anything in WF core files until they update it because I still use XMLRPC on my site for the Mobile App so I’m not sure if doing this will not cause any issues or maybe damages.

@b13story: As it only does something like “if it’s an xmlprc call, get the username from the xml instead of the username field” (and only does this on failed login attempts), I can’t see any way it would interfere with any current xmlrpc calls, as it’s not modifying anything in existing calls. That said, yes, it could be a bad idea to modify the plugin manually :).

Hope this gets added in an upcoming release, I already have a massive number of blocks this way (all correct ones from distributed attacks toward xmlrpc).

Thank you Stingray, great to hear that it worked well for you.
I will talk to the team and see what we can do for the moment, I hope to see a new update for WF soon.

Just a followup – is any kind of xmlrpc protection implemented yet? I still get tons of blocks daily from the above patch I made, and other xmlrpc functions are working properly. I haven’t updated wordfence in a while since this would remove the xmlrpc protection, and haven’t seen anything mentioned that it has been added in the latest versions. Anything that is planned?

This is not included in the current release, but we do have a feature request entered in our internal system for it, and I think it will be included in a future release, but I don’t know when yet.

If you don’t use XMLRPC for the WordPress app (or other blog software), and don’t use pingbacks, you can disable XMLRPC completely, if you would like. I’ve used this plugin before — it hasn’t had an update since February, but it’s literally one line of actual code and works correctly in WP 4.3:
https://www.ads-software.com/plugins/disable-xml-rpc/

-Matt R

FB876