Even if every possible security measure is in place, no site is perfectly safe from attacks of all types. By default, your website is vulnerable to potential malware just like any other network-connected machine. Statistically brute force attacks are known to account for 5%, and it is expected to be a greater problem by the rapid advancement of hardware embedded in computers, of all data breaches which is an alarming rate.
It could be a real nightmare if you do not have a clue how to protect your website from brute force attacks. Stay tuned to the rest of this article so as to learn how to put several courses of measure in place in order to maintain security and your website could be close to impenetrable in face of the most dedicated brute force attacks.
Brute Force Attack Definition
A brute force attack is a very large number of automated trial-and-error attempts to guess a login credential correctly and penetrate a password-protected service which is a website in our case. As the term implies, this systematic effort is by and large blind and exploits no intelligence.
On the other hand, it comes with a heavy workload, and successful execution of this type of attack requires supercomputers as it may take forever, like literally a lifetime, to crack a pair of username/password using a usual workstation. This type of cybersecurity threat has been around for a very long time but surprisingly it is a growing menace to websites.
However it does not take a brain to implement brute force attacks on a website, it does take a skilled person to adjust the settings and configurations in order to counter the assault. If brute force attacks are successful, they may have devastating consequences such as stolen personal information, ruined organizational reputation, financial blackmail, etc., each of which is a real nightmare.
How to prevent brute force attacks
- The login URL for any website looks like this: https://www.example.com/wp-login.php. The part wp-login.php is there by default. You may hide your login page by changing this part to whatever you want. So to actually conceal your website login, you need to open WordPress and install/activate “WPS hide my logins” plugin and simply type in a different URL from there.
WARNING: If you lose the new URL, you will not be allowed to log in anymore. So please create a backup of your site files and your database before altering the default URL.
- As brute force attacks, inherently, try on as many combinations of characters as possible until they get it right, it is vital to complicate and lengthen your keys to your website to delay a possible correct guess by even years. As a result of taking this basic strategy into account, the intruder may give up and the threat could be averted.
- You may bring about an extra layer of security to your website by placing in a two-step authentication, also known as the two-factor authentication, method. Basically, you will need to pass in an extra login credential, apart from the typical password, to be allowed inside of your login page. For the sake of this extra confirmation, a numeric code via email or SMS is usually sent to your cellphone device to verify your identity. You may use Google to enable this service for free for your website. This second step could be done with the help of a bunch of verifiable methods such as face recognition, trusted locations, and so on. Depending on your preference, you may opt for security over convenience or the other way around for your website. You do not want this security measure to be more of a hindrance than a help. Moreover, you do not want to see yourself locked out of your own website.
- The next thing you can do is install and enable a firewall. A firewall is basically a set of rules to whether allow in or block an entry attempt from a particular IP address. The settings can be manually configured to meet your particular need. To practically use a firewall, it is recommended to use another WordPress plugin called WordFence.
When selecting a firewall service, one thing to keep in mind is that you go for the firewall utility that has a fairly large network of active users so that any destructive IP address is considered a common threat to all users and will be acted upon as such.
- Using SSH (Secure Shell) to remotely log in to your website is another strong barrier against the most dedicated brute force attacks. SSH facilitates a secure login through end-to-end encryption. The method uses authentication models to tunnel the unprotected traffic over a secure connection. Since passwords are vulnerable to brute force attacks, the most technically preferable model is to create a secure key pair, known as SSH-keys, consisted of public and private keys for extra security. As with any security measure, SSH can be potentially sidestepped so it cannot be the only shield on your website against brute force attacks.
How to Detect Brute Force Attacks
Enabling CAPTCHA is one typical but yet proven to be an effective approach in disabling bots from sending too many login requests in a short period of time. This method is expected to protect the login page and put a stop to a mounting volume of spam and lighten the associated load on the server. Otherwise, thousands of login requests per minute could shock your site or even shut the server down.
Multiple unsuccessful login attempts from a particular IP address are likely to be a brute-force attack trying to infiltrate the website server and the associated IP address is advised to be temporarily banned to discourage further illegitimate entry attempts. To do that, you open WordPress and install/activate Limit Login Attempts Reloaded. In this plugin, you may simply manipulate the settings in more detail so that it is convenient for your liking.
Intrusion Detection System (IDS)
The aforementioned preventive measures build a strong safety shield for a website but no server is perfectly secure. Consequently, it is prudent to look for probable unauthorized usage. IDS keeps a record of configuration and file details, and it tags the known state as normal. In case of unusual change in the files or settings, the administrator will be notified or appropriate action is triggered to clear out the threat(s) and prevent further harm.
The seriousness of brute force attacks and their complications prompt any website owner to implement a list of engineered measures to keep the website out of harm’s way. Earlier in this article, the nature of brute force attacks was identified.
Brute Force Attack is a rising threat as computers gain impressive and unprecedented computing power and dealing with this sort of cyberattack seems to have attracted increasing attention during recent years. A dedicated brute force attack is capable of storming your login page and causing substantial damage unless a whole series of measures are enforced to shield the website. As the first strategy, you may hide your login page so that malware is unable to pinpoint the target, and quit. The next strategy is to complicate and lengthen your password to deter brute force attacks.
Implementing CAPTCHA is another helpful approach that keeps illegitimate traffics away. You may opt for two-factor authentication and SSH to add extra security guards. Firewalls are also another good line of defense. You may also automate blocking suspicious IP addresses after several failed login attempts. To actually put these measures in place, WordPress plugins and Google are, to me unbeatably compared to other service providers, able to facilitate many of our strategies. I hope you use this article to keep your website well protected from brute force attacks.