@kreeger
The old style (single method) and the recent\new amplified type of xmlrpc brute force attacks (using the system.multicall method) really were not any problem for the iTSec plugin to begin with.
The iTSec plugin brute force protection feature would lock out the ip addresses of ANY xmlrpc type attacks after 5 invalid login attempts within 5 minutes. After 3 lockouts within 7 days on the same IP the ip address would be banned in the .htaccess file (assuming one has enabled the right iTSec plugin settings). Note that any number mentioned above is configurable …
The iTSec plugin also allows you to completely disable xmlrpc alltogether.
However as of release 5.1.0 iThemes added a new setting named “Multiple Authentication Attempts per XML-RPC Request” to the WordPress Tweaks section of the Settings page that is supposed to protect your site against the new amplified type of xmlrpc brute force attacks.
Where the brute force protection feature locks out the ip address after 5 invalid login attempts within 5 minutes, the “Multiple Authentication Attempts per XML-RPC Request” setting will halt further xmlrpc (system.multicall) execution when it detects the second attempt to login is using a different username and\or password compared to the first login attempt. Such pattern makes the system.multicall xmlrpc request look like a brute force attack.
I think it is working though it does contain one bug …
Also I think this feature could be improved.
Simply halt system.multicall xmlrpc execution after the first login attempt fails …
Note the “Multiple Authentication Attempts per XML-RPC Request” setting value (Allow) is by default NOT protecting your site against system.multicall xmlrpc attacks … Which I think is odd. Would make sense to always enable this setting by default (Block) …
There is more relevant reading on this topic at iThemes and Sucuri.
dwinden
