XML-RPC is a remote procedure call protocol that relies on Extensible Markup Language (XML) for call encoding and on HTTP for transporting.
Daniel Cid, CTO at Sucuri, a company that offers services for preserving the integrity of a website, says that this type of attacks have increased lately, because using XML-RPC works faster and the attempts are more difficult to detect.
He says that this sort of abuse is possible “because many calls in the WordPress XMLRPC implementation required a username and password.” By simply providing a pair of credentials, a reply is returned informing if the combination allows access to the administration panel of the website or not.
Starting July 4, Sucuri has seen that attacks leveraging these parameters have become more frequent. The numbers are impressive, with a ten-fold increase since the beginning of the month: two million attempts originating from 17,000 different IP addresses.
Cid reports:- 200,000 attempts in some days.
Daniel Cid mentions other forms of protection, such as WordPress plugins, but it seems that during his tests none of the tried ones managed to offer protection against XML-RPC calls.