Menu
iThemes
WordPress Backup, Security & Maintenance
  • WordPress Hosting
  • BackupBuddy
  • Security
  • Sync
  • Agency Bundle
  • Plugin Suite
  • Training
    • Page Builder Developer Course
    • Theme Building with the WordPress Block Editor
    • WordPress Gutenberg Help
    • WordPress Tutorials
    • Free Upcoming Webinars
  • Blog
  • Contact
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WProsper

iThemes Security Adds XML-RPC Brute Force Protection

Written by Chris Jean on October 15, 2015

Last Updated on October 19, 2015

We’re happy to announce the release of iThemes Security 5.1.0 and iThemes Security Pro 2.0.0 today. Highlights of these releases include a new feature to protect your sites from a new type of XML-RPC attack, improved settings description for the previously-existing XML-RPC blocking feature, and improved IP detection for sites behind CloudFlare.

Last week, Sucuri announced a new technique that attackers can use against WordPress sites. This technique allows attackers to speed up their brute force attacks against WordPress usernames and passwords.

The technique relies upon having WordPress’s XML-RPC feature active in order for the attack to work. For iThemes Security users that have XML-RPC disabled, your site is already protected against this attack. For users that cannot disable XML-RPC due to running Jetpack, the WordPress mobile app, or other similar services and tools that require XML-RPC, this leaves sites with XML-RPC enabled vulnerable to this type of attack.

To protect sites that must have XML-RPC enabled, today’s iThemes Security and iThemes Security Pro update introduces a new feature to block these attacks. Use the following steps to enable this protection on your site:

How to Activate XML-RPC Brute Force Protection with iThemes Security

1. Update to the latest version of iThemes Security (5.1.0 for Free and 2.0.0 for Pro).

2. Go to Security > Settings.

3. Scroll to the WordPress Tweaks section.

4. Change the “Multiple Authentication Attempts per XML-RPC Request” setting to “Block“.

5. Click the “Save All Changes” button.

With this new setting set to “Block”, requests that attempt to exploit this vulnerability in XML-RPC will be blocked and will not receive any success or error details about their login attempts.

Changelog for both iThemes Security 5.1.0 and iThemes Security Pro 2.0.0

  • New Feature: Added “Multiple Authentication Attempts per XML-RPC Request” setting to the WordPress Tweaks section. When this setting is set to “Block”, iThemes Security will block brute force login attacks against XML-RPC as described by Sucuri in this blog post.
  • Enhancement: Updated text describing the XML-RPC setting in the WordPress Tweaks section to better explain what the setting is for and which setting is recommended.
  • Enhancement: Improved IP detection when proxy detection is active by processing the header set by CloudFlare.
  • Enhancement: Added a filter named itsec_filter_remote_addr_headers which can be used to change which headers are searched for the client IP. This allows for tailoring the IP detection for specific reverse proxies and load balancers.
  • Bug Fix: Updated the Banned Users settings to no longer add a newline to the Ban Hosts input each time the settings page is saved.

Today also marks a big change in version numbering for iThemes Security and iThemes Security Pro. The version numbers are switching to the same method used by WordPress. This is why the new version of iThemes Security Pro is 2.0.0 instead of 1.19.0. The reason for this change is that the first digit was unlikely to ever update past 1 with the old version system while the second digit would continue to grow. This change helps the version numbers be more instantly recognizable and understandable to more users. As before, an update that only changes the last digit of the version, such as going from 2.0.0 to 2.0.1, indicates a security or bug fix release.

Update Now to iThemes Security 5.1.0 and iThemes Security Pro 2.0.0

Pro Customers: All current iThemes Security Pro customers will now find the 2.0.0 update available from the WordPress dashboard (for licensed sites) or as a manual download from the iThemes Member Panel. Save time updating all your sites at once from the iThemes Sync Dashboard.
Free Users: All iThemes Security users will now find the 5.1.0 update available from the WordPress dashboard or as a manual download from WordPress.org Plugin Directory. Save time updating all your sites at once from the iThemes Sync Dashboard.

Get iThemes Security Pro now

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More

Get iThemes Security For Free

  • Enter the URL of your website to get iThemes Security for free!
Other related posts
vulnerability roundup
WordPress Vulnerability Roundup: January 2021, Part 1

WordPress Vulnerability Roundup: December 2020, Part 2
vulnerability roundup
WordPress Vulnerability Roundup: December 2020, Part 1
wordpress security check
iThemes Security Pro Feature Spotlight – iThemes Security Check

Respond

Click here to cancel reply.

Get updates on new themes & plugins plus special discounts

About iThemes

  • #WProsper
  • Friends of iThemes
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • Agency Bundle
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2021 All rights reserved | Privacy Policy

  • Liquid Web Family of Brands
  • Facebook
  • Twitter
  • LinkedIn
  • More Networks
Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Xing
Reddit
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied