We’re happy to announce the release of iThemes Security 5.1.0 and iThemes Security Pro 2.0.0 today. Highlights of these releases include a new feature to protect your sites from a new type of XML-RPC attack, improved settings description for the previously-existing XML-RPC blocking feature, and improved IP detection for sites behind CloudFlare.
Last week, Sucuri announced a new technique that attackers can use against WordPress sites. This technique allows attackers to speed up their brute force attacks against WordPress usernames and passwords.
The technique relies upon having WordPress’s XML-RPC feature active in order for the attack to work. For iThemes Security users that have XML-RPC disabled, your site is already protected against this attack. For users that cannot disable XML-RPC due to running Jetpack, the WordPress mobile app, or other similar services and tools that require XML-RPC, this leaves sites with XML-RPC enabled vulnerable to this type of attack.
To protect sites that must have XML-RPC enabled, today’s iThemes Security and iThemes Security Pro update introduces a new feature to block these attacks. Use the following steps to enable this protection on your site:
How to Activate XML-RPC Brute Force Protection with iThemes Security
1. Update to the latest version of iThemes Security (5.1.0 for Free and 2.0.0 for Pro).
2. Go to Security > Settings.
3. Scroll to the WordPress Tweaks section.
4. Change the “Multiple Authentication Attempts per XML-RPC Request” setting to “Block“.
5. Click the “Save All Changes” button.
With this new setting set to “Block”, requests that attempt to exploit this vulnerability in XML-RPC will be blocked and will not receive any success or error details about their login attempts.
Changelog for both iThemes Security 5.1.0 and iThemes Security Pro 2.0.0
- New Feature: Added “Multiple Authentication Attempts per XML-RPC Request” setting to the WordPress Tweaks section. When this setting is set to “Block”, iThemes Security will block brute force login attacks against XML-RPC as described by Sucuri in this blog post.
- Enhancement: Updated text describing the XML-RPC setting in the WordPress Tweaks section to better explain what the setting is for and which setting is recommended.
- Enhancement: Improved IP detection when proxy detection is active by processing the header set by CloudFlare.
- Enhancement: Added a filter named
itsec_filter_remote_addr_headerswhich can be used to change which headers are searched for the client IP. This allows for tailoring the IP detection for specific reverse proxies and load balancers. - Bug Fix: Updated the Banned Users settings to no longer add a newline to the Ban Hosts input each time the settings page is saved.
Today also marks a big change in version numbering for iThemes Security and iThemes Security Pro. The version numbers are switching to the same method used by WordPress. This is why the new version of iThemes Security Pro is 2.0.0 instead of 1.19.0. The reason for this change is that the first digit was unlikely to ever update past 1 with the old version system while the second digit would continue to grow. This change helps the version numbers be more instantly recognizable and understandable to more users. As before, an update that only changes the last digit of the version, such as going from 2.0.0 to 2.0.1, indicates a security or bug fix release.
