This post is a bit late to the game but I wanted to post about it because as part of my LLC I provide black hat type penetration testing against WordPress. Although WP is awesome at keeping updated I still have to always run my standard tests against the the core code as well. Today, I wanted to talk a bit about some false positives that I have been getting when testing the notorious XMRPC brute force hack.
It has taken me almost 9 months to figure out why the level of successful XMLRPC brute force attempts have fell to zero using my traditional means of testing. This is due to the multiCall method patch that was applied in WordPress version 4.4. You can find the patch by visiting https://core.trac.wordpress.org/attachment/ticket/34336/34336.diff. The patch effectually prevent the multiCall method from being brute force attempt attacked by using a boolean variable “auth_failed“. This patch works by setting “auth_failed” to true on the first failed login attempt that fails. The way the multiCall method in the XMLRPC works is that you send multi calls in one push to the XMLRPC server and then WordPress loops through these methods one by one. Even with multiCall the session for the call is the same and thus the local variable is still set to true while running though the methods.
There is no way to use the XMLRPC multiCall method anymore which is great for the WP world but hurts my workflow. So if you provide penetration testing and running tests against the XMLRPC multiCall method, you are wasting your time.
The patch was applied in 4.4 so that means that older version my be exposed if auto updates were not turned on. I am not sure how far back the core team has patched this but I would imagine that the patch goes way back.
If you want to be protected against the exploit, you MUST keep updated. Although there is other ays to get around the patch, they are not made public and I will soon be presenting a patch myself to prevent my new method.
Keep and eye out.