Disable XML-RPC system.multicall authenticated requests on the first auth failure

[dd32]

Recently ​Securi published a post about a Brute Force Amplification Attack affecting WordPress by using system.multicall.

WordPress should cause XML-RPC authentication to fail on all subsequent multicall calls silently to prevent this attack being viable against WordPress.

The attached patch implements this suggestion, and although it breaks the XML-RPC spec I think we should enforce this.
Multiple user authentications are still possible when using system.multicall, the only catch is that once one fails authentication, all the further attempts will also fail.

[Otto42]

+1. This is a simple patch that does not break anything, except perhaps the spec. Given the planned changes for REST, this is a good mitigation.

[dd32]

In 35366:

XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.

This hardens WordPress against a common vector which uses multiple user identifiers in a single system.multicall call. In the event that authentication fails, all following authentication attempts in that call will also fail.

Props dd32, johnbillion.
Fixes #34336

[dd32]

In 35367:

XMLRPC: Revert the changes to WP_XMLRPC_UnitTestCase in [35366] as they weren't required.

See #34336

[dd32]

Thanks for the Unit Tests @johnbillion.

I had to split up test_login_pass_ok to test failing authentication separately as it was relying upon the changed behaviour.

[knutsp]

A candidate for other branches?

[johnbillion]

Replying to knutsp:

A candidate for other branches?

Yep, if a 4.3.2 happens.