What is Brute-Force attack?
“Brute force” attack is based on guessing login and password. While the logic is quite simple (try different combinations repeatedly and once you’ll get it right), brute force attacks are usually performed by bots capable of trying thousands of combinations in a minute.
There are 4 things needed for a successful brute force attack:
- Login page
- The freedom to try thousands of different combinations with no restriction
Securing even one of these areas will make your website way more protected. Compared to other types of attacks, launching brute force is easy. In WordPress, the POST request is sent to wp-login.php file over and over using different username and password combinations.
In this article, we will cover some methods of preventing brute force attacks against WordPress.
Don’t use common username and password
For bots able to try millions of combinations in a short period, guessing “admin” as a login name and “mypassword” as a password won’t cause any troubles. Any username and password can be hacked if given enough time. Try to make your credentials as complex as possible so the brute force would need to spend months or years trying to find the right combinations.
Never use “admin” as a username and “password” as password. For password, use combination of upper and lower-case letters, add punctuation, numbers and non-alphanumeric characters. Basically, “F3*fks824Rd%2r” is way better than “johny1990”.
Change default WordPress admin URL
By default, WordPress admin page URL is /wp-admin or /wp-login.php. How difficult is it to find those? Not at all. Brute force attack can’t be made without admin URL so it makes sense to change it so only you will know the correct URL. We suggest using HC Custom WP-Admin URL plugin as it’s free and easy to use.
As we mentioned before, bots need to go through billions and trillions of combinations to guess websites’ credentials correctly. Imagine how many attempts do they need. One trillion? 500 trillion? Surely, it depends on username and passwords lengths and characters used but restricting the number of repeated login attempts from one IP will turn brute force bots’ life into a nightmare. You can restrict the number of login attempts manually in .htaccess but we recommend using Login Lockdown plugin.
Password Protecting /wp-admin and /wp-login.php
/wp-admin and /wp-login.php can be protected by adding HTTP Basic Authentication. Basically, it means adding one more security level (brute force bot will have to crack additional password before even accessing /wp-admin or /wp-login.php pages). In case you changed default WordPress admin URL, you can use this method as well.
Steps to protect /wp-login.php in Apache:
1. Generate .htpasswd file with htpasswd generator.
2. Place this file in the same location as your .htaccess file (usually root folder).
3. Let’s say your .htpasswd file includes the username “leavemealone”. Place the following code .htaccess file
## Stop Apache from serving .htpasswd files
<Files ~ “^\.ht”> Order allow,deny Deny from all </Files>
AuthName “Private access”
require user leavemealone
WordPress is not loaded during additional authentication step, but server consumes CPU while verifying credentials. So if requests are send in a large number, your website can go down. That’s why we recommend adding Login Lockdown as well.
Are you a human?
As brute force attacks are usually done using bots and they can’t solve captcha (at least for now). Adding captcha is a simple and effective way to prevent bots from submitting forms on your website. Check this article to learn how to integrate Google’s No CAPTCHA reCAPTCHA in WordPress login form.
Brute Force Login Protection Plugin
Brute Force Login Protection Plugin protects you website from brute force attacks.
Main offered features are:
- Limit the number of allowed login attempts using normal login form
- Limit the number of allowed login attempts using Auth Cookies
- Manually block/unblock IP addresses
- Manually whitelist trusted IP addresses
- Delay execution after a failed login attempt (to slow down brute force attack)
- Option to inform user about remaining attempts on login page
- Option to email administrator when an IP has been blocked
- Custom message to show to blocked users
As this plugin relays on IP address, it doesn’t protect your website from distributed brute force attack (when the attack is made from several computers).
BruteProtect Plugin is a cloud-powered brute force prevention plugin. This plugin is now a part of Jetpack Plugin and is no longer supported. Jetpack is owned and managed by Automattic (WordPress creators) so we consider it more than just trustworthy. Jetpack is a compilation of plugins offering wide range of features and brute force protection is one of them. But if you don’t want a bunch of features you may not need it as installing BruteProtect Plugin is still fine as it does what it’s supposed to do.
The way BruteProtect works is simple: every site, that has this plugin installed, becomes a part of global network and when an IP address is blocked due to malicious activity it’s shared among all the sites so that the suspicious IP can be blocked before it harms any sites.
Cloudflare is another great tool to protect your website against brute force attacks. Cloudflare offers a number of features to “supercharge your website” and prevention of malicious requests is on of them. Once a website becomes a part of Cloudflare network, it’s traffic is routed via their global network. Cloudflare optimizes the delivery of your pages so the users experience faster loading speed and better performance. Cloudflare offers free and paid subscriptions and if preventing brute force attacks is your main concern than free plan would be enough. Here’s the picture describing how its’ protection works:
Sucuri Website Firewall
Preventing brute force attacks is one of the features of Sucuri’s Firewall. It claims to fully protect your website against bad bots, scanning tools, or semi-manual methods. Here is the list of tools and methods Securi’s Firewall can protect from:
All incoming traffic is sanitized by Firewall and if pattern matching brute force attack is detected, this traffic is blocked before reaching your website. With Securi Firewall you can also set up advanced login lockdown, enable two-factor authentication, add Captcha, additional passcode, block traffic from specific country and much more.
To sum up, we compiled a list of recommended steps to protect your website from brute force attacks:
- Use strong password
- Change default WordPress admin username
- Change default WordPress admin URL
- Add second layer password protection to admin URL
- Add Captcha
- Restrict the number of repeated login attempts from one IP (Login Lockdown)
- Periodically check your domain in Google’s safe browsing
- Always keep fresh backup of your website
- Keep everything updated (WordPress version, plugins, themes)
- Use additional protection software like Cloudflare or Sucuri