A brute force attack is a trial-and-error way in which the hackers aim to gain access to a website by trying different combinations of usernames and passwords until they get in. These attacks focus on websites having weak security links. For example, these attacks mainly happen to a website using a weak username and passwords like ‘admin’ and ‘12345’.
Brute Force attacks can run out of the server memory as the number of HTTP requests becomes high. Furthermore, this can lead to a performance issue on the website. The number of HTTP requests is the number of times someone visits our website.
How to Prevent Brute Force Attacks
These hackers hammer the ‘wp-login.php’ file over and over again until the website is accessible or the server dies. We can prevent brute force attacks using the following measures:
1) ALWAYS USE AN UNUSUAL USERNAME
In the early version of WordPress, the username ‘admin’ was a default, so the hackers assume that most of the people are using the same now. It is always advisable to change the username using the “Change Username” plugin. Try not to keep an easy username like “admin” or “administrator” or “boss”. Ensure it is unusual so that no one can guess your username.
2) CREATE COMPLEX AND STRONG PASSWORD
It is always suggested to have a secure password, which prevents others from guessing your password and can avoid a brute force attack. There are several ‘automatic password generators’ available which can be used to create a secure password. The WordPress password strength meter feature ensures the password strength is adequate while changing the same. The ‘Force Strong Password’ plugin can assist users to set strong passwords.
Some of the things which need to be kept in mind while selecting a password are:
Avoid using any permutation of your name, username, company name, or name of your website.
Don’t use any word from a dictionary, in any language.
Avoid using Short Passwords.
Always try to use alpha-numeric passwords.
It is always recommended to enable “Two-Step Authentication” on your website for more security.
3) USE SECURITY PLUGINS
There are several plugins available for WordPress to limit the number of login attempts made to the website like Limit Login Attempts, IP Geo Block, etc. Also, you can completely block someone from accessing wp-admin by using various plugins like Loginizer, WP Custom Admin Interface, Admin Menu Editor, etc.
4) PASSWORD PROTECT WP-LOGIN.PHP FILE
The password protection of your ‘wp-login.php’ file can add an extra layer of security to your site. For the same, you can create a ‘.htpasswd’ file. This file can be created under your public folder or in the same folder of .htaccess, but if you are adding it under the same folder as that of .htaccess, then you need to add some extra security to the .htaccess file.
After uploading the .htpasswd file to the server, you have to include it in the.htaccess file in order to protect some routes on your website. For instance, if you have uploaded the htpasswd file in the home directory containing asecretuser the user, add the following code to your htaccess file.
The “AuthUserFile” location depends on your server, and also the “require user” details change based on what username you pick.
By using the ‘HttpAuthBasicModule’, we can protect the wp-login.php file in Nginx by adding the following block inside your server block.
The .htpasswd filename path is related to the ‘nginx.conf’ file and the files should be in the following format:
The passwords must encode by function crypt(3), so you can use the ‘htpasswd generator’ to encrypt your password.
5) LIMIT ACCESS TO WP-LOGIN.PHP BY IP
If you have a fixed IP address to log in to your Admin area, then you can deny wp-login.php access to others using ‘.htaccess’ or ‘web.config file’. This process is known as the IP whitelist.
To allow only one IP address (e.g., 203.0.113.15) to access the admin area, you can create a file with the name .htaccess and add the following code:
If you want to add pre than one allowed IP address, we can edit the .htaccess file as below.
If you are using Apache 2.4 and Apache module, then the syntax is different:
To access the admin using multiple IP addresses in Apache 2.4, you can add:
6) DENY ACCESS TO NO REFERRER REQUESTS
The Spam login attack can be prevented by adding the following block to the ‘.htaccess’ file.
7) BLOCKLISTS
According to the study, most of the brute force attacks are from hosts from Russia, Kazakhstan, and Ukraine. So, we can block the IP addresses that originate from these countries. We can download blocklists from the internet, and then we can load block rules with iptables using some shell scripting. Blocking an entire countries IP address cannot be done if your website is global; at that time, you can add the well-known spammer’s IP addresses to the iptables. This table needs to be updated regularly.
8) CLOUD/PROXY SERVICES
Some services like Cloudflare and Sucuri CloudProxy can assist to reduce these attacks by blocking the IPs before they reach the server.
Conclusion: There is no actual way to make your site 100% hack-proof. It is because every day a new vulnerability is discovered and there is some difference between bug solutions and update releases. Use the tips given in this article to protect your WordPress site from brute-force attacks. If you need any help please contact our support department for quick help!
