All you ever wanted to know about Brute Force Attacks
Best Practices to prevent Brute Force AttacksThe following are the top 3 steps that every WordPress site owner must take to protect against brute force attacks. They are quite simple to follow, yet very effective in their purpose.
Using Strong PasswordsUsing strong passwords is one of the best practices recommended by any security expert. As per a recent statistics report, people most commonly use passwords like abc123, qwerty, 123456 that are oh-so-easy to crack. Unbelievable, yet true. The bots used by the attackers can crack such weak passwords within a few tries. In the case of a strong password, a bot will take a million attempts to get anywhere close. So always remember to use long unpredictable passwords, avoid dictionary words, avoid reusing passwords, and change passwords regularly.
Renaming the Admin UserHackers first look for the default username admin. Once found, they will try to crack your password to gain full control of your site. You can make their job harder by renaming the admin username to something that’s unique. Now the hackers have an additional task to first guess your username before attempting to crack your password. It doesn’t end here though. Merely changing the username might not suffice. The admin account is associated with user ID 1 by default. In our article on How to change the user ID of your admin account , we saw how this user ID can be used to identify the corresponding username. Hence it is always better to change the user ID along with the username for the admin account.
Rate Limiting the Login AttemptsAnother very useful way to protect your site against brute force attacks is by limiting the number of failed login attempts. This feature blocks out users once they reach the pre-configured number of failed attempts, for example 3. As bots tends to bombard our sites with indefinite login attempts, this mechanism is very effective in limiting their attempts. There are many security plugins that help you limit the maximum number of failed login attempts. Such users are then blocked for a specified time period. There are plugins like Limit Login Attempts that are meant exclusively for this purpose. Other popular security plugins like BulletProof Security, All In One WP Security, Wordfence Security, iThemes Security, etc also help you with login security.
Additional Security MeasuresWe already learnt about the best practices to prevent brute force attacks. Here are a few more measures that are often used by WordPress users and their associated challenges.
Hiding the Login PageAs brute force attacks are dependent on presets, hiding the well known login page (wp-login.php) is strongly recommended as a security measure. This is the same page that you’re redirected to when you try to log into your site’s dashboard. Once the attacker lands on this page, he can launch an attack to crack your admin username and password. By renaming the login page to something else, you can add a layer of defense to your WordPress site. We haven’t listed this measure in our top recommendations as we believe it has limited benefits. For one, the 404 error page that is displayed when someones tries to access the default login page doesn’t help in a big way. Server resources are still utilized in order to fetch and display this error page. So the bots can continue to attack your site and use up your resources. Moreover, this makes usability much harder as users normally expect the wp-login.php to be the access point when they want to make modifications to the site.
Managing IPs using htaccessHtaccess files are configuration files that are present on your web server. They are used to control access to a specific directory. Since access control forms an important part in securing sensitive parts of your WordPress site, it can be very effective in preventing brute force attacks. You can use your htaccess file to ban specific IP addresses that shows up as a suspect in your logs. This is also known as blacklisting. Here’s how – order allow, deny deny from 192.168.20.10 allow from all This logic can be extended to a range of addresses too. order allow, deny deny from 192.168. allow from all You can also manage access to your site by means of whitelisting. Permit only a set of known addresses and deny everyone else. This is nearly impossible to implement unless you are completely sure of your user network and hence won’t work with most sites. order allow, deny allow from 192.168.22. deny from all There are many challenges with using htaccess for access management. It requires a thorough understanding of IP addresses, networks, and rules which is beyond the comprehension of an average user. A small typo in a rule can result in a breakage. Moreover, you need to cleanup your htaccess file frequently. If left unattended, this can bloat up to a very large size and thus become unmanageable over time.
Two Factor AuthenticationYou might have used two-factor authentication with your gmail. The same has now been extended to WordPress too. In this method, another factor known only to the user is used along with username/ password for authentication. Almost all sites that implement this today use smart phones to send the one-time passwords (OTP). This is pretty effective because everyone has a phone within reach. Moreover, you can’t write down these passwords for later use unlike regular ones and thus reduced the risk of passwords being stolen.
Adding CAPTCHAAdding CAPTCHA to your login form can prove quite useful in mitigating attacks. You can use a plugin like Captcha to do this. The CAPTCHA must be entered correctly along with the username and password in order to gain access. Therefore, even if the login URL is known, the default “admin” username is used, and a dictionary-based (i.e. weak) password is in effect, the odds of a successful brute force attack reduces significantly. The only problem with captchas is that they are sometimes be very hard to read.
Monitoring Failed LoginsOne of our favorite plugins related to security, WP Security Audit Log, keeps a track of all the failed login attempts on your site. It lets you identify the users that are under attack, and can even email you in such situations. You can learn more about this feature here.
ConclusionIt is extremely difficult to put a complete stop to brute force attacks. But with multiple countermeasures like limiting login attempts and changing the default admin username, you can limit your exposure to these attacks. However, the best defense is to configure strong, impenetrable passwords. Act now, if you haven’t done so already.
Akshat is the Founder and CEO of BlogVault, MalCare, and WP Remote. These WordPress plugins, designed for complete website management, allows 100,000+ customers to build and manage high-performance websites with ease.