Protect Website From Brute Force Attacks

Brute force login are the most common attacks conducted against websites, learn how to protect and prevent users & website data from them

Updated on December 23, 2022
Protect Website From Brute Force Attacks

What are brute force attacks, and how can I protect and prevent my users & applications from them? A brute force login attack is one of the most common (and least subtle) attacks conducted against web applications. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password, and see how to protect & prevent your website from attacks.

Protect Website From Brute Force Attack

Some crazy people out there will try to hack your blog. One of the most common types of hack attacks is Brute Force attacks, where a hacker runs a script and attempts to log in to your account by using different combinations of username and password.

We recently suffered a brute force login attack on visualmodo.Com. Whoever did this was trying to log in to our blog using different usernames like “admin”, “administrator”, and “visual”. Because of the high number of HTTP requests to the server, RTB went down.

So whenever visitors or I were trying to access the blog, this error was shown – “Internal Server Error. “ Our other sites on this server were also showing the same error.

However, I could stop the attack by contacting the hosting provider. But the In this post, I will share how to protect your WordPress blog from brute force attacks. Before moving to the tips, I would like to tell you what are Brute Force Attacks is before we can see how to prevent and protect a website from it.

What is Brute Force Attack?

Brute Force Attacks are attacks where hackers rapidly wheel through some directory names, usernames, passwords, and IP addresses to get access to private data or Files. Autobots or software are used to generate many continuous guesses to get the desired data.

This attack on WordPress blogs mainly targets the wp-login.php file to get access to blogs. It tries different usernames and passwords repeatedly until it gets in.

Brute Force Attacks Types & Styles

Offline brute force attacks are only possible when hackers access database files with encrypted information. Such a file is hard to get, but once hackers get it, offline attacks are much faster because they can try a different key to decrypt the information on the database on their computer than on the remote server. Hackers also don’t risk being discovered.

Online brute force attacks target a running website or mobile application. In a sense, you can send your bot to any online website, which is convenient, but it can be very slow because the hacker has to wait for the target server to say if the given password is wrong. Organizations also tend to limit requests to their vulnerable endpoints, further slowing down such brute-force attacks.

A dictionary brute force attack is a brute force attack in which hackers rely on a shared database of words: a dictionary. The hacker’s bot guessed usernames and passwords by combining dictionary words. Dictionary attacks have a higher success rate because users frequently use words in their passwords.

How to recognize a brute force attack?

A brute force attack aims to access confidential or proprietary information such as user or administrator accounts. Pages portals for such information are prime targets for brute force attacks.

So if you notice a surge in traffic to any of these sites, you may be vulnerable to a brute force attack. This is especially true when many requests come from the same IP or unusual countries. Of course, if you notice a lot of failed login attempts, that’s also a vital sign of a brute force attack.

How does a brute force attack work?

Brute-force bot attacks usually involve the following steps: Target URL address and parameter values: Hackers identify the pages of the target website and pre-configure the necessary parameter values ​​in their brute force attack tools. In addition to generic landing pages, these content management system (CMS) admin pages are also common targets:

  • WordPress wp-admin or wp-login.php login page
  • Magento /index.php and admin page
  • Joomla! administration staff
  • PrestaShop admin page
  • vBulletin Admincp
  • Drupal login page

Perform a brute force cracking process: The bot attempts to guess potential passwords by using lists of words in a dictionary, a rainbow table of calculated password hashes, or rules based on site characteristics (such as users) – and compares page name patterns.

Extracting content and data: With each successful login attempt, brute force attackers extract copyrighted content and data from target websites for fraudulent use, commercial gain, and other attack vectors.

Now see how to prevent and protect against brute force attacks on your WordPress website or blog

1. Avoid Common Usernames and Use a Strong Password

First, I’d recommend you change your default WordPress username. Don’t use usernames like “admin,” “administrator,” or your site name. These usernames are easy to guess. When Visualmodo was attacked, the hacker used the following usernames. To avoid these “easy to guess” types of usernames. Set a truly random username. So, a great way to protect & prevent a website from brute force attacks.

At the same time, you must make sure you are using a strong password. A strong password contains 8+ characters, no dictionary words, uppercase & lowercase letters, numbers, symbols (e.g. !@#$), etc.

You can also use an online strong password generator. One of the popular tools is – The passwords Generator.

2. Use JetPack Brute Force Attack Protection

JetPack is a powerful WordPress plugin by Automattic with a lot of features. Recently Jetpack has introduced a new feature called ‘Protect.’ It helps secure your WordPress sites from malicious and unwanted login attempts. That means your blog will be protected from brute-force attacks.

All you need to do is, install the plugin from here. Once you’ve activated the plugin, the ‘Protect’ option will be enabled automatically. However, you can check whether the Protect option is enabled or not by going to WordPress Dashboard > Jetpack > Setting. You can also whitelist an IP address, preventing it from being blocked by Jetpack. Just click on ‘Configure’ from the ‘Protect’ option.

3 . Wordfence Security – Firewall & Malware Scan

Another good recommendation for security plugins is the Wordfence Security – Firewall & Malware Scan, it has a range of security features, and the brute for attack protection is part of it. Moreover, this iso ne of my favorite security WP plugins.

4. Use Cloudflare CDN

Cloudflare is a free CDN service. You can use it to speed up your site and make it more secure. Cloudflare handles all Brute Force Attacks on WordPress blogs. I am using Cloudflare on Visualmodo. Unfortunately, the “Basic Protection Level” in Cloudflare settings was set to ‘Low’ at the time of the brute force attack.

Usually, the ‘Medium’ and ‘High’ options are suitable. But if you’re under attack ever just select the option “I am under attack!”. It will work within a short time. Configure the security settings if you are using Cloudflare on your blog.

5. Use ‘Limit Login Attempts’ WordPress Plugin

Protect Website From Brute Force Attacks
Protect Website From Brute Force Attacks

If you are using the Jetpack plugin or Wordfence, you don’t need to install this plugin.

This plugin’s new and reloaded version works with the latest WordPress version. This plugin limits the number of login attempts possible through standard login and auth cookies.

This plugin will limit the number of retry attempts when logging in (for each IP). It stops users from further attempts to log in after the specified number of failed logins.

So if your WordPress blog is attacked, you can block attacking IPs from attempting to log in over and over again.

6. Hide WordPress Login Page

This is a little bit risky. Only do this if you know what you are doing. You can hide your wp-login.php file so that the attackers won’t be able to find that page to attack. To do that, you will need a Plugin named WPS Hide Login. This plugin will hide the login page; you can log in to your site using a key combination or a special button.

You can hide the login page and other options. You can also select from a list of symbols to show on your blog. When you click on that symbol, you will see login options. Otherwise, you won’t. I think it’s safe to select Hidden and set a Key Combination to log in to your blog.

Check the box “Block wp-login.php” to hide the wp-login.php page. Make sure your .htaccess file has the correct permissions. And don’t forget to disable this option before uninstalling the plugin.

7. CAPTCHA is your friend and protector

The Fully Automated Public Turing Test for Distinguishing Computers from Humans (CAPTCHA) is a program that allows you to distinguish humans from computers. Captcha was first widely used by Alta Vista to prevent automated search submissions and is particularly effective at blocking any type of automated abuse, including brute force attacks.

They work by providing tests that are easy for humans to pass but difficult for computers; thus, they can infer with certainty whether there is someone on the other end.

For a CAPTCHA to be effective, people must be able to answer the test as accurately as possible 100% of the time. Computers must fail 100% if possible. Researchers at Carnegie Mellon University’s School of Computer Science have been working on improving and introducing new captchas.

Final Words

You can take steps to secure your WordPress blog from attacks. However, if your WordPress blog is under Brute Force Attack, here are some things you can do –

  • Contact your Hosting Provider immediately. They can help you out for sure.
  • If you use Cloudflare, change the Protection Level to “I am under attack!”

You should check this article if you use HostGator as your Hosting provider. This can be helpful. I hope this post helped you to protect your WordPress blog from brute force attacks. If you found this useful, don’t forget to share the post on Facebook, Twitter, and Pinterest.