Brute force attacks are one of the simplest forms of attack a site can come under. But they can still be highly dangerous, and rather tricky to deal with without the right tools.
This article will cover the basics of brute force attacks, and present some solutions to help you protect your site and its users from this kind of hack.
What is a Brute Force Attack?
To put it simply, a brute force attack is trying passwords until it works, or “brute forcing” a password. Usually the password is for an admin account, which is extremely dangerous to your site. Preventing these attacks on your users is important as well if your site has user accounts.
These attacks don’t usually get very far if done by one person typing in password after password; the process just isn’t fast enough. At a rate of one password per second, it would take years to try every possibility if the password is more than a few digits long.
So where does the danger come from? Well, if you have a short or insecure password, it’s not impossible for this method to get lucky and find the right one. It might take days, weeks, or years to try every combination, but there’s no guarantee yours won’t be in the first few dozens they try.
But the real danger comes from programmers and hackers using computer power to do the brute forcing. Computers, if sufficiently powerful and properly coded, can go through hundreds to millions or more passwords a second. A password that would take a person almost three years of constant work to crack at one password a second can be done by a computer running at one thousand a second in a single day. And some are a lot faster than that.
So brute force hacks can be surprisingly dangerous. But what can you do about them? Why, by creating a WordPress secure login, of course.
Stronger Passwords
This won’t stop a dedicated brute force attack on your WordPress login URL, but it can help. It doesn’t take much to make it virtually impossible for a person to brute force on their own, and you can significantly slow all but the fastest computers with enough digits and different kinds of characters. Every kind of character included in your password adds a significant layer of extra options. Using lowercase, uppercase, numbers, and special characters together can help a lot.
You also want to make sure your password isn’t too short. You don’t always have to fill the password box to its limit, but you don’t want it to be just five or six characters either. The number of possible combinations to brute force through grows literally exponentially with each digit. Be sure to make your passwords at least eight digits long, though longer is always more secure.
Another important note is that you shouldn’t use “admin” as your username. This used to be the default WordPress admin login username, so many of these attacks use it without knowing your username. A decent percentage can be stopped simply by using something else.
Change Your Login URL
This won’t work if you allow user created accounts on your site. But if you run it by yourself or with only a few employees, changing your login URL from the default can stop attacks before they happen. After all, if they can’t find your login page in the first place, they can hardly brute force your passwords. The easiest way to do this is by using the WPS Hide Login plugin. Just be sure to remember or write down your new URL so you don’t lose the login page yourself.
Two-Factor Authentication
You can set up a second layer of protection for your account, making it extremely difficult to brute force. There are several ways to do this, but perhaps the most prominent is using the Google Authenticator. After normal login, this will send an additional code to an app on your phone that you must then enter to access your account. Clearly, this makes your account rather difficult to breach without access to your phone.
If you’d like to increase security without an extra step each time you log in, or without requiring any writers or other employees you grant access to your backend to use an extra app, there are still some available options.
Better Login Security
Two-factor authentication is a form of this, but there are other, simpler, easier on the user tools that you can use to create a WordPress secure login.
Limited Login Attempts
This is possibly the simplest solution. It means that a single IP address can only make so many failed attempts before being locked out of even trying to get into an account. The only way to possibly brute force past such a system would be for the hackers to use tools to constantly switch IPs, but this makes attacks more difficult and far slower to carry out, thwarting many such attempts on its own.
Login Alerts
This won’t stop a hack on its own, but an automated alert system can help you find attempted hacks while they’re still in progress, allowing you to block IPs, change passwords, or take other measures to stop the attack yourself. This works by detecting and alerting you to anything out of the ordinary: logins from new IPs, on new computers, multiple failed attempts, and so on. If you receive such an alert, be sure to change your password and look over your site to make sure no damage was done.
Captcha
Almost all hacks that pose a credible threat are carried out by specially designed bots to test as many passwords as possible much more quickly than a human can. Captcha presents various kinds of extra login authentication designed to be simple for humans but impossible for bots to correctly complete. Blocking bots from being able to automatically login to your site at all renders you immune to the vast majority of such brute force attacks.
Security Plugins
The easiest way to achieve this increase in login security is by using a security plugin. This is where MalCare comes in.
MalCare is a WordPress security plugin that provides you with the kinds of increased login security presented above. It’s a configurable plugin that can work to create a system that enacts WordPress limit login attempts, provide alerts, use Captcha to block out bots, and generally harden your site against hackers and malicious attacks of any kind.
In addition, MalCare completely blocks IPs that present known or likely threats from making a login attempt in the first place. And, if someone somehow manages to get through all these layers of protection, the plugin takes steps to limit the damage various kinds of hacks can do to your site.
Taking your security one step further, MalCare can also scan your site for malware, and provides you with the tools for removing it, further preventing the damage that even successful hacks can cause.
Wrapping Up
Using any of these tips will help protect you and reduce vulnerabilities in your site. Good passwords are a must, and using multiple of these techniques together can help keep your security airtight. With a strong password and MalCare combined your site will be virtually impossible for anyone to brute force their way into, keeping you, your visitors, and your site itself safe from harm.