Table of Contents [TOC]
Brute force attacks are common against web services. Any website is a potential target. However, criminal actors usually choose the most popular to increase their chances of success. WordPress is one of their favorite targets. This platform is so popular that out of one million top websites on the Internet, over 75% are created using WordPress. Being such a strong market leader makes WordPress an attractive target for attackers. One popular type of attack is password brute force on WordPress websites.
One of the methods many hackers use to access a WordPress site is to launch a brute force attack. Like any hacking attempt, these attacks are intended to allow hackers to access the system so that they can delete content, add their own content, or perform other Machiavellian actions. A brute force attack is one of the easiest ways to access a system.
? In this article, we will cover some major aspects including – What is Brute Force Attack, its impact, consequences and tips to stop brute force attacks on your WordPress site.
? The basic idea behind this type of hacking is simple: the attacker (usually an automated system) tries as many passwords as possible until he finds the one that works. It may seem that this approach takes some time, but it is really effective since many people do not use complex passwords. In addition to compromising your system, these attacks also slow down the loading time of the site. They can also completely crash it, because the attacker usually tries ten passwords every few seconds.
The brute force search or exhaustive search method is a method of solving problems in the fields of cryptology, computer science and game theory. This method is aptly named because it is based on the use and testing of all possible solutions hence also the term exhaustive search. Usually this kind of attack is done by botnets.
The goal of a brute force attack [see:wikipedia] is to obtain valid credentials for the WordPress site and use them to access the admin panel. Access to the admin panel means that the attacker gains complete control over the website. Compromised WordPress sites can be used for different purposes: deface, steal credentials, host malicious files, inject malicious code to the pages, or make the website part of a specific malware infrastructure.
This technique is used when there is no better valid algorithm. Hackers who use this method are particularly eager to crack passwords and can easily access personal data. Brute force attacks are effective because many users don’t choose secure passwords. If users follow basic guidelines when creating passwords, or, even better, use a password generator, the chances of a bot guessing the right password are tiny. A sufficiently complex password takes centuries to guess.
For this, they use software with a simple algorithm that quickly and sequentially tries a large number of character combinations including numbers, spaces and letters up to a defined maximum length.
The shorter and simpler the password, the faster it can be cracked with the brute force method. This is why passwords with different characters are generally recommended and it is also advisable to use an encoding system for very large keys or passwords.
Since the amount of computing power needed to perform a brute force attack becomes more and more readily available, it means that attack attempts can be made in a shorter period of time, making full protection against attacks.
Due to the potential number of requests being sent, a brute force attack can actually function similarly to a WordPress DDoS attack, taking many sites down due to high utilization of CPU/memory.
Here are conditions that could indicate a brute-force attack or other account abuse on your website:
There are many potential negative consequences that may occur if your businesses website is hacked-
There are two types of brute force attacks that can take place.
[source -.cisco.com]
In the vertical brute force attack – every bot attempts a full dictionary attack against a single website. This type of brute forcing can be easily detected and blocked using a simple counter for user login attempts. In a standard brute force attack, an infected user systematically tries different user name and password combinations. In a distributed and vertical brute force attack, each infected user targets a specific website and systematically tries every credential provided by the bot master.
In the horizontal brute force attack, the bot master handles the dictionary used for the attack. Each bot receives a small subset of it, attempting a few user name and password combinations against a single website. In horizontal brute force attack, an infected host attempts a single user name and password combination per WordPress website. This makes detection much harder as simple counters do not trigger an alarm in this scenario.
Bots are not very smart. The goal of the a botnet is to force hundreds or even thousands of connections in a short period of time. The above text simply prevents malicious bots from “publishing” combinations of usernames and passwords directly to your default WordPress login page.
Administrators or subscribers connecting through the WordPress login page will not be blocked.
This method has much less impact on a customer’s daily process than most others and no additional steps are required, making it the easiest way to mitigate connection attacks.
If, on the other hand, you find that this surgical approach of preventing malicious bots from posting against your login page URL does not fully meet your needs, try the options below.
| Plugins | Active Installs | Required WordPress version | Tested up to | Ratings |
|---|---|---|---|---|
| Loginizer | 700,000+ | 3.0 | 4.9.8 | 4.8/5 |
| Login LockDown | 200,000+ | 3.6 | 4.9.8 | 4.6/5 |
| Limit Login Attempts Reloaded | 100,000+ | 3.0 | 4.9.8 | 4.6/5 |
| WP Limit Login Attempts | 40,000+ | 3.0 | 4.9.8 | 4.6/5 |
| Brute Force Login Protection | 20,000+ | 2.7.0 | 4.8.7 | 4.3/5 |
| Limits Attempts by Best Web Soft | 10,000+ | 3.9 | 4.9.8 | 4.6/5 |
| Limit Login Attempts | 5,000+ | 2.0.2 | 4.9.8 | 3.7/5 |
| WPS Limit Login | 2000+ | 4.2 | 4.9.8 | 5/5 |
| BruteGuard – Brute Force Login Protection | 100+ | 4.4 | 4.9.8 | 5/5 |
Whether the objective of a brute force attack is the password of your central system, or to get information from users, these events show the importance of protecting yourself against decryption methods.
When it comes to private system passwords, you can take charge yourself. Indeed, it suffices to use combinations that consist of many different types of characters.
In the best case, you can use uppercase and lowercase characters, special characters and numbers for your passwords. All this to make it more difficult to pirate your keys.
But the situation is complicated for the creation of passwords for online services. In fact, you are dependent on the requirements of the supplier. In general, a typical password has a maximum of 8 characters and is often limited to numbers and letters, which is not optimal for security.
In this case, you should then look for what precautions the website operators take in order to protect themselves from brute force attacks. When you are operating a website with a login mechanism, it is your responsibility. There are two possible approaches for this:
Securing the password mechanism should be the basis for any login, but the iCloud scandal has shown that this is unfortunately not always the case. The purpose of the protection mechanism is to make the work of brute force software much more difficult.
This means, for example, that when an incorrect password is entered multiple times, no further attempts can be made and the login function is blocked.
Moreover, it is also possible to increase the time after and between each login attempt. You can also choose an additional step, as now applies Apple, which is to block the entire account of the user in case there are multiple attempts to login.
Many sites now also offer the option of multifactor authentication. This results in a more complicated login process since several components are needed in addition to the password. This can be the answer to a secret question, the return of a PIN code, or answer a Captcha test. A Captcha test is a short test that consists in checking if the login process is done by a person and not as in the case of brute force software, by a bot.
If you are the only administrator and your IP address rarely or never changes, then this advice is for you. Add this to the top of your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx.xx.xx.xxx$
RewriteCond %{REMOTE_ADDR} !^xxx.xx.xx.xxx$
RewriteRule ^(.*)$ – [R=403,L] </IfModule> Just replace the xxx.xx.xx.xxx entries with your IP address.
Suggested Read – WordPress .htaccess hacked – Cleanup & Prevent .htaccess Attack
To add another layer of protection, you can enable the Protected Page option. You simply specify the page you want to protect, and choose whether to enable two-factor authentication with Google Authenticator, throw up a CAPTCHA to stop bots, or add an additional passcode. Begin using Two-factor authentication (2FA). This way, even if someone guesses your password, they will not be able to access your site because they do not have the security key. We recommend doing this as soon as possible where the Google Authenticator plugin can be helpful. A passwordless login authentication give boost to the security of you WordPress website.
Do you want to protect the data stored on your portal and prevent unauthorized access? So enjoy an extra level of security by enabling two-factor authentication. In this case, if someone decides to hack your WordPress, even having your password will need your phone to access it.
To enable two-factor authentication
For the SaaS version, two-factor authentication with SMS is enabled by default when creating the portal. Default SMS service provider is selected according to the portal region: smsc is used for CIS, Twilio used for all other regions. You can add other SMS providers available later in the Settings -> Integration -> Integration to the third-party services section.
If you are using the server version, you must first connect at least one SMS Provider in the Settings -> Integration -> Integration to Third Party Services section so that you can enable the Two-factor Authentication option.
Setup Two-factor authentication (2FA) in WordPress. This way, even if someone guesses your password, they will not be able to access your site because they do not have the security key. We recommend doing this as soon as possible where the Google Authenticator plugin can be helpful. You can also add HTTP authentication.
At each login failure, the user will have to wait longer and longer before they can try again.
Let the user prove that he is not a bot:
Timer is a complementary technique that consists of preventing more than 2 attempts in a row by ns seconds. Your visitors will see no change if you take a margin of 2 seconds, while the robot that must enter hundreds of attempts per second will be delayed. So you reduce the speed of attack.
To add the timer, there are PHP sleep () and usleep () functions
The sleep () function is second and usleep () in microsecond.
Here is an example:
sleep (1); // pause for a second
usleep (1000000); // pause for a second
Keep an eye on the log files of your server. Each connection failure result in the recording of an HTTP 401 code in the log files of your web server. The following events should put you in the spotlight:
This is something that we cannot let go, and it is to use a strong enough password. These brute force attacks try to guide all the most common passwords users use on their sites. A secure password contains uppercase and lowercase letters, numbers and symbols.
Do not use the same password in more than one location. It’s never too late to start using a password management solution like 1Password or LastPass.
You can also use Force Strong Passwords, which enforces strong passwords for users with publish_posts, upload_files & edit_published_posts capabilities
Few basic requirements for a strong password:
The use of Pass-Phrases is a solution that is increasingly used on the Internet. Pass-Phrases are similar to passwords, but with some differences. First, Passphrases only requires the characters. They can be numbers, special characters or others. The key is the length of a password.
Passwords or sentences with at least 16 characters offer the best protection. For each additional character in the code, its hacking will take longer to calculate the additional possibilities. The longer the code grows, the longer the computer has to work, so it is less likely to discover a valid password through a “brute force” attack.
Although passwords have several requirements, Passphrases usually have simple requirements:
It is always advisable to limit the connection attempts of the users, although this alone cannot protect us from all attacks, since a botnet contains 90,000 IPs. Another thing you can do is password-protect the wp-admin directory, where it is recommended to limit the wp-login.php file to a specific IP address.
Restricting the number of failed attempts basically prevents and protects from brute force attack on your WordPress site.
It is very common for beginner users to use very common usernames or that come by default as admin, administrator, test … Recently, the main hosting companies warn us that user names are being targeted at the moment.
If you have a generic username (like admin) on a WordPress site, then you must change it right now. [?Read – How To Change Your WordPress Username?? – 3 Easy Ways]
By default, during a WordPress installation an “admin” user is automatically created. The connection to your blog is done via two fields: the username and password, leaving “admin” as an identifier in the list of users, you leave the door open to hackers, who just have to find the associated password, which very often, in this case, is very easy to find.
Usernames such as:
A WordPress username should not be simple to find, especially not looking at the names of the article authors. For your safety, try to generate a complex name, and put it in a safe place, so you can find it easily.
There are two easy ways to change your username:
If you are not a technician, and do not want to play with the values of the database, you can use a plugin to make this change. Username Changer is a perfect plugin for this task.
Add the following code for your theme functions.php the file after current replacement -Username and New-Nickname values in the code:
global $ wpdb;
$ wpdb-> query ("
UPDATE wp_users
SET user_login = 'New-Username'
WHERE user_login = 'Current-Username';
"); In the code above, replace Current-Username with the current name, and New-Username with the new username.
Caution: Delete this code immediately after the change for security reasons. You only need to run this code once, it is not necessary to keep it in your theme.
Directory browsing allows any visitor to your site to see and browse the contents of the folders in your WordPress site. Everyone can visit a directory of your site, see the files and open them at will. By default, the majority of hosts have chosen to block access to directories, for obvious reasons of security, however, there are still many hosts that do not disable access to the directory of hosted sites. [ ?Also Read – How To Disable Directory Browsing in WordPress Via .htaccess ]
During a brute force attack, hackers can use directory browsing to search for vulnerable files. To resolve this problem, you must download the .htaccess file from the root of your domain and make a copy. You should always have a copy of your .htaccess file when you make changes, because if things do not work out as expected, you can go back through your backup copy.
Notepad – Open the downloaded file with a text editor such as Notepad ++, available for free.
Go to the Encoding menu
Enable Encoder in UTF-8 (without BOM) to avoid creating unnecessary errors on your site
# Disable Directory Browsing
Options All -Indexes
We will see below, how you can easily disable PHP code execution using the .htaccess file.
Disabling PHP execution is really easy. To start, create a new text file, name it .htaccess, and copy/paste code into the file you just created.
<Files * .php> deny from all </ Files>
Now, you have to put this file in the directories to protect. To do this, launch your favorite FTP client and download the file you just created into the directories, “wp-includes” and “/wp-content/uploads/”.
With this simple trick, you can block the execution of any PHP code in these vulnerable directories.
The best security we can have for our website is to have a backup copy on a regular basis. We can make our copies manually from our hosting manager, there are also plugins as we will see later that can do this work automatically.
It is important to make these copies periodically, since hosting companies usually do not do them. [?Also See – How To Export WordPress Database ]
Most of the attacks suffered by WordPress are due to vulnerabilities caused by plugins, weak passwords and obsolete software. One of the most popular plugins is Loginizer where among many functions it hides the sites that are more prone to these attacks, keeping the most sensitive places like login, administration, etc., out of danger.
If we do not take into account these precautions it is easier than it seems to leave our site exposed to injections of malicious code and attacks of any kind, and this is something that we can avoid using the aforementioned tips.
? Also Read – Best WordPress Security Plugins To Protect Website in 2019 [Updated]
The solution to identify the attacker is to mark him by giving him a cookie or use his IP address, while unfortunately, these two techniques are no longer sufficient because the hacker can change his IP address by using a proxy, or a VPN or simply restart the connection modem.
Most brute-force attempts come from a handful of countries. If you aren’t doing business there, you can completely block all visitors from those IP ranges. Block the top three attack countries by default.
If you notice an IP address that is making an extreme number of bad login attempts, then configure your Apache server to block this IP address.
Apache has commands to forbid access to these addresses using the <Directory>, <Files >, and <Location> directives, so you can use User-agent, or the information available in them.
To deny access to an IP address you can use: deny from 20.1.2.3
Or for all IP addresses starting with 10.0: deny from 10.1
This is the most effective method to block a remote user through the web server that handles HTTP requests.
If an attacker has entered ten attempts, we create a cookie that will allow us to mark it when he returns to the site. This cookie will have to block it for 10 minutes. It is a small protection that is simple and can save you some difficult situations.
The script is as follows:
<? Php
if ($ _COOKIE ['counter'] 10) {
header ("HTTP / 1.0 404 Not Found" quot;);
die ();
}
setcookie ('counter', $ _ COOKIE ['counter'] + 1, time () + 3600); ?> Admittedly, the script is basic but terribly effective against this type of attack!
There are 40 million brute force attacks on websites every day, so it is very likely that your site will be attacked. One of the simplest methods to protect your WordPress blog is to hide your login page.
There are several ways. One of the most common methods is to rename the file wp-login.php. This is the default login page, one that attacks hackers. Plug-ins can be used for this purpose. This plug-in, Change wp-admin login, is available on the WordPress website.
After installation and activation, this plug-in will direct users to the Permalinks section of the Control Panel Settings page. It will give users the ability to enter a new login URL. You will find other options as well. Most WordPress experts recommend that you also change the Common Settings from the default (Default) to the Post Name.
For the login URL, you can leave it as such, but you can also change it to some pretty unique one. In this case, the full login URL will be your site/the name of your login page. Remember that you should add to your favorites or write down the name you gave on the login page so you don’t forget it. You will also need to share this new URL with people who will need to connect to your WordPress site.
Hackers will now see a 404 error page that says the page is not found when they get to wp-login.php. However, WordPress will still dedicate resources to loading this page. Another trick is to edit the .htaccess file (htaccess file). Add the following code at the end of the file:
<Files wp-login.php> deny from all </Files>
This will return a 403 error rather than a 404 error. This is the banning error – anyone who tries to access wp-login.php will see a message saying that they do not have the permission to access /wp-login.php. When a 403 error is displayed, WordPress does not load any resources. Therefore, no slowdown occurs.
There are other methods to protect WordPress against brute force attacks, but this one is one of the easiest and fastest to set up. Another benefit of this method that can completely prevent hackers from accessing your login page is that it can also protect you against other forms of hacking.
Hiding the login page will help prevent different hackers from applying brute force to your WordPress blog to test several password combinations.
You can create a new login page with a new URL and hide your login with code in a few simple steps, which will add an extra layer of defence to your site.
You do not have to install plugins and it only takes a few minutes to get implemented.
Without further ado, let’s start.
Since you need to make changes to your .htaccess file to hide your login page, it is important to create a full backup of your site. Your .htaccess file is important to the point that even a small error could completely make your site unavailable. It is better to make your arrangements now.
If you do not think your blog could be a victim of an attack, then at least make a backup of your .htaccess as well as the theme folder you are using.
Do not hesitate to have a look at these wordpress database backup plugins.
No matter which option you choose, you can edit the necessary files directly with your FTP client, with clients like FileZilla or in the cPanel, you will be able to access the files of your hosting.
You can do this by using Login LockDown plugin or manually by making changes in .htaccess. The code you need to add should be included at the top of your .htaccess file for WordPress unique installations or after the following lines on a multisite network:
RewriteEngine On
RewriteBase /
RewriteRule ^ index \ .php $ - [L]
Here is the code you need to add:
# BEGIN Hide login page
RewriteRule ^ mylogin $ https: //% {SERVER_NAME} /wp-login.php?key=123&redirect_to=https://% {SERVER_NAME} /wp-admin/index.php [L]
RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} / wp-admin
RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} /wp-login.php
RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} / login
RewriteCond% {QUERY_STRING}! ^ Key = 123
RewriteCond% {QUERY_STRING}! ^ Action = logout
RewriteCond% {QUERY_STRING}! ^ Action = lostpassword
RewriteCond% {REQUEST_METHOD}! POST
# END Hide login page Make sure to change mylogin to the second line for the slug you want to use for your login page. If you do not change, you can find your login page as well www.adminsite.com/mylogin.
It is recommended to change the “slug” because the default one is publicly available, which means that hackers have access to it as well. If you use a custom slug, then it will not be able to access it, because the only location where this slug is displayed is on this file.
Also, be sure to change 123 on lines two and seven for something else. It’s a secret key that will not be visible to hackers. You should choose something that is not easy to guess. Choose a value that is composed of letter and number.
Back up your .htaccess file and make sure your site is always available. If you get an internal 500 error, it means that you made a mistake somewhere. Restore the file and try again.
Extended from Combatting Comment Spam, you can use this to prevent anyone who isn’t submitting the login form from accessing it:
# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .*/(wp-comments-post|wp-login)\.php.*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>
Nginx – Deny Access to No Referrer Requests
location ~* (wp-comments-posts|wp-login)\.php$ {
if ($http_referer !~ ^(http://example.com) ) {
return 405;
}
}
Change example.com to your domain. If you’re using Multisite with mapped domains, you’ll want to change example.com to (example.com|example.net|example4.com) and so on. [ Source – https://codex.wordpress.org/Brute_Force_Attacks ]
Blocking this attack with .htaccess rules is the preferred method because connection-limiting plugins cannot only cause problems to trigger our own internal security rules, but they will not be effective in this type of attack.
Just like your computer, your anti-virus, WordPress updates provide fixes for bugs that have been detected, security patches as well, and improvements to the program itself. These updates are published regularly by WordPress and sometimes several times a month.
Without the regular update, your website is weakened and more easily hackable or may be affected by viruses. Cleaning up a site that has been hacked or attacked requires many hours and high technical skills to get the site up and running safely, to avoid the risk of another attack. Extensions, themes and plugins are also affected by security vulnerabilities and improvements are proposed by the new WordPress releases updates.
If the update is not done, the risk (low) is that a hacker uses the flaw that has been explained in detail on the official website. He can then hack all sites that have not yet done the updating job. The new releases that come out become a real constraint in time, and loss of money.
✅ Based on the research done, We recommend not to use the delay strategy but the Captchas one. • Sometimes you find the server weak, this because there are a lot of brute force attacks and the servers CPU have to run a big number of sleep(); functions.
✅ Also, technically you can not avoid thousands of Login tries by delaying the repeated ones from single IP that is because using cloud nowadays hackers have the facilities to use thousands of virtual IPs.
✅ So if you publish your application on local server, its CPU is fully loaded by sleep(); calls. •
And if you publish your application on the cloud, you might pay more money.
✅ “Brute force attacks against un protect contact forms or logins. Malicious attacks often target login and contact forms in order to penetrate a site. Repeated, constant attacks on unprotected sites drive up compute cycles as the infrastructure processes each attempt. Many plugins are available to provide contact form and login protection and can mitigate the processing of illegitimate traffic. Captchas are very popular for addressing this threat.
✅ Other points to remember are –
What we can say is that the brute force attack is more likely to fail if you react faster. To make the work of the hackers more difficult, you can also add the delay, an extra layer of protection. In the fight against brute force attacks, the most important thing is to save time, and not to make the task of the hacker too easy.
If you liked this article, then you will love the WP Hacked Help . Secure your WordPress and get 24×7 support from our team of WordPress security experts. If you have the slightest doubt about the state of health of your site in terms of Security, Trust, receive a report of securing your WordPress site in under 36 hours.
The report includes the results of the various tests are aggregated, compared and crossed in order to highlight the biggest weaknesses of your sites, as well as the points on which you will not have to derogate.
We can help you Cleanup & Prevent .htaccess Attack, Remove Malware From WordPress Site, alongwith protection against WordPress XSS Attack, Web Shell PHP Exploit, WordPress Pharma Hack, Malware Redirect Hack, Google Blacklisting and Brute Force attacks on WordPress website to keep your site trustworthy and secure.