How to Secure Your WordPress Site Against Brute Force Attacks
We take a look at six easy steps you can follow to increase the security of your WordPress site and guard against brute force attacks.
Join the DZone community and get the full member experience.Join For Free
The internet and its growth over the years have led to a new avenue for a crime. Cybercrime is so rampant that in the UK, it accounts for over 50% of criminal activity. According to the University of Maryland, computers and networks are attacked at least once every 39 seconds. Another statistic from Imperva's 2019 Cyberthreat Defense Report states that 78% of the organizations that were surveyed were affected by a successful cyberattack in 2018.
With a threat as constant and persistent as cyberattacks, website security is an absolute must.
One of the most common kinds of cyberattacks are brute force attacks. This article tackles what a brute force attack is, why it's important to know what it is, how it happens, and how to prevent it from happening to your website.
What Is a Brute Force Attack?
A brute force attack is the simplest method to gain access to a website, server, or anything that is password protected. This is a method where hackers try various password combinations over and over in order to break into a website. It is a trial and error approach to hacking.
According to Techopedia, the reason it's called a brute force attack is because of the amount of effort and resources that go into it. It takes time, force, and tools to properly launch a brute force attack.
Trying to hack into a friend's Facebook account by guessing their password, for example, can be considered a brute force attack.
How Brute Force Attacks Happen
Although it is the simplest hacking method, it is not something that can be done by just anyone.
Since most websites or servers require passwords that are at least eight characters long, there are enough password combinations to make the hacking process last longer than a lifetime. So although it is the simplest hacking method, it still takes knowledge and skill to execute.
Hackers make use of computers and supercomputers to write code and can develop powerful computing engines via software that functions as a password breaking or cracking program. These programs and engines are what make it possible to execute a successful brute force attack.
Computers can reduce hacking time significantly, but the process would still takes long time. With supercomputers though, brute force attacks can happen within a minute.
In light of the fact that hackers invest time, effort, and resources into brute force attacks and that they happen on a daily basis, it is important to take the necessary precautions that can help prevent these attacks from happening to your website. Below are seven methods you can and should consider using to protect your website from brute force attacks.
7 Ways to Prevent Brute Force Attacks
1. Lengthen Your Password
There's a reason why most websites require you to come up with a password that is at least 8 characters long. Compared to a password that is just 5 or 6 characters long, the number of possible combinations with an 8-character long password is naturally greater.
This makes the process of brute force attacks harder and more time consuming, making it more difficult for hackers to succeed in their attempts to break into your website.
The longer the password, the better.
2. Increase Password Complexity
Having a lengthy password, however, isn't an end-all solution. A password might be long, but if it is as simple as 'password1234,' then it is more likely that hackers will break into your website. Of course, this is a terrible example, but the fact is that there are still people out there who use passwords as predictable and lazy as that.
To create a more complex password, be sure to make use of both lower and upper case letters, numbers, and special characters. This delays the hacking process and makes it more difficult because the characters you use are not typical and obvious.
3. Limit Login Attempts
This is one of the most effective ways to prevent brute force attacks from happening to your website. It prohibits hackers from being able to make an infinite amount of attempts, disabling them from even having the chance to hack into your website.
After a certain amount of failed login attempts, your website should block the IP address that made those attempts. This puts hackers in cuffs, because, while they might have the tools to break into your website, they will no longer have the opportunity to use those tools.
4. Limit Access
Even more effective is only giving access to people you trust or work with. By not allowing hackers to make a single attempt at logging into your website, it cuts them off at the start.
This can be done by modifying the
.htacess file in your WordPress site. The purpose is to allow only certain IP addresses to have access to wp-admin, meaning only those you choose to allow to log in to the website can do so.
5. Make Use of Captcha
We have all experienced Captcha while trying to access a website. It might be a little troublesome for those who are trying to log in or gain access, but that's exactly why website owners use it.
Captcha makes us prove that we really are humans and not robots. This is to prevent bots from executing the automated scripts used in brute force attacks.
6. Two-Factor Authentication
Two-factor authentication provides an additional layer of defense beyond passwords. An example of two-factor authentication is the personal questions that come up after entering the correct username and password, like, 'What was the name of your first pet?'
This is a great weapon in the fight against brute force attacks, because, although hackers might have the tools to crack your password, it is almost impossible for them to correctly guess something that is personal to you.
Published at DZone with permission of Juie Lara. See the original article here.
Opinions expressed by DZone contributors are their own.