• Home
  • Contact
  • FAQs
    • What is Webcomics.com?
    • Member Benefits
    • How To Post an Article or News Item
    • How to Post a Webcomic on the List
    • How to Post a Comic
    • Terms of Service
  • Forums
  • WebComics List
  • Benefits
    • Print Vendors: Get multiple quotes
    • Banner stand: Discount
    • Consultation discount
    • “How To Make Webcomics” book: discount
    • “Webcomics Handbook”: discount
    • ALL benefits
  • My Account
    • Welcome
    • What is Webcomics.com?
    • My Subscription
    • Join us!
  • Account
  • Membership List
Twitter Email RSS

Webcomics.com

How To Make WebComics

Webcomics Handbook

‹ Webcomics.com poll: Buffers Square files for IPO ›

Potential WordPress login Exploit (via XML-RPC)

Cult of BobThis post has been submitted by Webcomics.com member JJ Sandee, creator of Cult of Bob.

A recent exploit for WordPress has been going around that you should at the very least be aware of. Now it’s not an exploit in the sense that someone can gain access to your website through some backdoor, it’s more that because of the way a part of WordPress is built, doing a brute force is made easier.

The short version: If you have a plugin that limits repeated logins, you’re pretty much safe.

Read on to understand the details.

Brute Force Attack
A brute force attack means that someone just keeps trying username and password combinations until they gain access. Since we’re dealing with computers this means this can be automated. Which is always the case. Automated scripts will simply constantly attempt to log in to your website until they’re logged in.

XML-RPC
The XML-RPC protocol is basically a system that is part of WordPress that allows editing content on the site without using the normal admin. Examples of this are the Mobile App, and certain other tools that let your edit content. There are plugins that use this system to read and write data for both convenience and security, since it requires logging in to get at the data.

The basis of the exploit
The basic idea of the exploit is that XML-RPC allows multiple concurrent logins at once. The attack sends WordPress multiple names and passwords to try and log in. This is far more efficient than constantly reloading the login page. These scripts will either use commonly used usernames and passwords, or go through a list of farmed logins and passwords. Depending on what is available.

Motive
Unless you are a very high profile website, the primary reason to hack your site is to infect it with malware with the express purpose of further infecting other computers. These infected computers will then go on the hack or infect other computers. The general term for this is a Botnet (network of robots) and they tend to run entirely automated once started.

Solutions
One way is to turn off XML-RPC but this can break your site as various plugins might rely on it. A better method, and this has already been discussed in previous security related posts, is to limit the number of logins using a plugin such as Wordfence. (note: I am not affiliated with this plugin, merely pointing it out as being good) The login function goes through the same system regardless of using XML-RPC or the login page. So any limiter will block multiple login attempts.

Future
Because WordPress is used so widely, it’s a popular target to spread malware. Stuff like this will pop up regularly, but because it has such a large community, updates are quickly released to combat these issues. It’s important to be vigilant of updates, and potential threats as they pop up.

by JJ Sandee on October 13, 2015
Posted In: Uncategorized
Comments available to logged in users only.



Recent comments

  • hpkomic on Managing commissions
  • Brad Guigar on Tweet and sour
  • Kulanah on Tweet and sour
  • Kulanah on Tweet and sour
  • Andrew Fraser on Tweet and sour

Search



Webcomics.com Poll

I design my comic specifically for smartphones and digital tablets.

  • Disagree (52%, 178 Votes)
  • Agree (48%, 165 Votes)

Total Voters: 343

Loading ... Loading ...
  • Polls Archive

Categories

  • Archive Dive
  • Articles
    • Advertising
    • Art
    • Business
    • Community
    • Conventions
    • Creativity
    • Crowdfunding
    • Digital publishing
    • Image prep
    • Lettering
    • Marketing / Social Media
    • Merchandise
    • Print publishing
    • Tech
    • Web site
      • Web Site Design
    • Writing
  • ComicLab
  • Edited and Ready
  • Events
  • Guest
  • Hot Seat critiques
  • Information
  • Interviews
  • Livestream Chat
  • Mail Bag
  • Member Benefits
  • Promos
  • Site News
  • Studios
  • Surviving Creativity
  • To-Do List
  • Uncategorized
  • Video
  • Webcomics Confidential
  • Webcomics Weekly
  • Webcomics.com Poll

Tags

ad revenue AdSense advertising Comic Easel comments composition contract copyright creativity exercise credit cards Crowdfunding digital lettering digital publishing Facebook holiday Humor IP KDP Kickstarter Kindle legal lettering line weight Longform comics Manga Studio merchandise NCS panels Patreon Promotion PulsePoint readers revenue SEO shipping social media Square taxes trademark Twitter typography Web design word balloons WordPress writing

Special Features

Just now, in the forum…

  • Mixing First and Third Person Captions
  • Help with Toocheke
  • Label Printer for shipping
  • Patreon Merch
  • Pricing Your Comics

Recent Posts

  • ComicLab Ep 268 — Special Guest Ellen Woodbury of “Pizza Cake Comics”
  • “Poor Man’s Copyright”
  • Blambot sale
  • February To-Do List
  • ComicLab Ep 267 — How to turn OFF creativity

Recent Replies

  • Brad Guigar on Mixing First and Third Person Captions
  • Brad Guigar on Help with Toocheke
  • Brad Guigar on Label Printer for shipping
  • Andrew Fraser on Label Printer for shipping
  • Brad Guigar on Label Printer for shipping

Recent Topics

  • Mixing First and Third Person Captions by jpactor
  • Help with Toocheke by Andrew Fraser
  • Label Printer for shipping by Andrew Fraser
  • Patreon Merch by Jaycee Knight
  • Pricing Your Comics by Jaycee Knight

Recent Comments

  • hpkomic on Managing commissions
  • Brad Guigar on Tweet and sour
  • Kulanah on Tweet and sour
  • Kulanah on Tweet and sour
  • Andrew Fraser on Tweet and sour
  • My Subscription
  • Store
  • Terms of Service
  • Account
  • Membership List

©2007-2023 Webcomics.com | Powered by WordPress with ComicPress | Subscribe: RSS | Back to Top ↑