How to protect your site from WordPress brute force attacks?
· Время на чтение: 13мин · -
·
Опубликовано
· Обновлено
Listen to this article
Brute force attack or (brute force attack) WordPress suppressed even before the attack is successful. Many site administrators see their server resources deplete quickly, their sites become unresponsive, or even crash completely, resulting in real users being banned. The problem is that you can feel helpless when brute force bots clog the login page trying to get to your wp-admin.
But you are not helpless. If you're seeing multiple failed login attempts for the same user, possibly from multiple IP addresses, you've come to the right place. In this article, I will explain what a WordPress brute force attack looks like and how to protect your site from it.
The content of the article:
- What is a WordPress brute force attack?
- How to protect your site from WordPress brute force attacks?
- Impact of a Brute Force Attack in WordPress
- Eliminate the effects of WordPress iteration
- Is your site vulnerable to brute force attacks?
- Types of brute force attacks
- Other Security Best Practices
- Conclusion
What is a WordPress brute force attack?
Brute force attack WordPress are attempts to gain unauthorized access to your wp-admin by trying different combinations of usernames and passwords. Hackers have developed bots that continuously bombard the login page with credentials through trial and error.
Bots often try a series of dictionary passwords and are therefore also known as dictionary attacks or password guessing attacks. Attacks can be configured to originate from different IP addresses and thus bypass basic security measures. There are other types of brute force attacks, which I will discuss later in the article.
The goal of a brute force attack is to gain access to your wp-admin and then usually install malware on your site.
How to protect your site from WordPress brute force attacks?
It's scary to experience a brute force attack, especially because it seems like there's nothing you can do to stop it. In addition, the effects of the attack are immediately visible. Most sites have limited server resources that are quickly used up, and often the attacked site goes down completely.
Fortunately, there is a lot you can do to prevent WordPress brute force attacks. Here is a list of WordPress brute force steps that will block most attacks and mitigate the worst.
1. Limit the number of login attempts
The best way to stop a WordPress brute force attack is to limit the number of login attempts. If the wrong password is entered too many times on the login page, the account is temporarily locked out. This blocks the effectiveness of the brute-force bot as it uses trial and error to guess the credentials. In addition, since the bot cannot try several thousand combinations, no requests are sent to the server, and no resources are spent on the bot's activity.
By default, WordPress allows an unlimited number of login attempts, so it is primarily susceptible to brute-force attacks. With security plugins, you can automatically activate login protection restrictions.
In fact, if a user has legally forgotten their password, they can solve a captcha to easily bypass the lock. Thus, limiting login attempts prevents brute-force bots from infiltrating without negatively impacting real users.
2. Block bad and unwanted bots
Brute force attacks are almost always performed by bots. Bots are small programs designed to perform a simple task repeatedly, making them ideal for brute force attacks. The bot will try a number of credentials on the login page until it finds a match.
In addition, over 25% of all website traffic comes from bots, so there are many security systems that protect against bots. However, there is an important distinction to be made here: all bots are not bad. There are good ones like other search engine crawlers and uptime monitoring bots.
You want them to be able to access your site, so it's important to get bot protection that intelligently blocks only bad and unwanted bots. There are many anti-bot plugins like All In One WP Security and Wordfence Security, but by default they block all bots, including Googlebot.
3. Install a web application firewall
Login protection is protection against brute force attacks, while firewall is protection against all kinds of attacks; including brute force.
Firewalls use rules to block malicious traffic and do a lot to protect your website. In addition, firewalls mitigate one of the most serious problems of brute force attacks—excessive strain on server resources—by blocking repeated bad requests.
Brute force attacks are often configured to attack from multiple IP addresses and can therefore bypass most firewalls. However, with a firewall, your website becomes part of global intellectual property protection. The firewall learns which IP addresses are malicious based on behavior logged on over 153,470 websites and actively blocks traffic from them. These measures greatly reduce the amount of bad traffic to your site in the first place before the bot can even hack your site's login page.
4. Add Two-Factor Authentication to WordPress
Usernames and passwords can be guessed, so two-factor authentication — or even multi-factor authentication — has emerged as a way to have dynamic elements for user authentication. With two-factor authentication, a real-time login token, such as an OTP or a QR code, is transferred to the user's device. It has a limited lifetime, typically around 10-15 minutes, and can only authenticate the user for that session.
An additional token is difficult to hack apart from the login and password. So it adds another layer of security to the login page. You can install a plugin like WP 2FA to easily add two-factor authentication to your site.
5. Use strong and unique passwords
The biggest security flaw is the user himself and, accordingly, the passwords set by him. Passwords are the biggest vulnerability in any security system due to the (understandable) human tendency to set easy-to-remember passwords and reuse them for different accounts. These are actually two separate and different password issues.
- First, never reuse passwords for different accounts. Many brute-force bots use stolen passwords due to data leakage to attack login pages.
- Secondly, as you understand, such a password as "password" is very easy to guess. Use a minimum of 12 gibberish characters or, even better, use a passphrase as your password.
I recommend using a password manager like LastPass or 1Password to avoid password reuse and create strong passwords as needed. If you suspect that an account has been compromised, you can force a reset of all passwords.
6. Disable XML-RPC in WordPress
An XML-RPC file is another way to authenticate users. In other words, it is an alternative way to access your admin panel, so it is also susceptible to brute force attacks. This is a largely obsolete file that is not actively used by many plugins or themes. It is still included in WordPress for backwards compatibility and is therefore relatively safe to disable.
7. Regularly check and delete unused user accounts
Inactive accounts are often targeted by hackers because there is a chance that users won't notice if their accounts are hacked. Also, dormant accounts have the same passwords for long periods of time, making them easier to brute force.
Therefore, regularly check user accounts and delete those that are not actively used. To earn extra points, make sure each account has the minimum user rights required to manage their account. For example, it's reckless to make everyone administrators.
8. Consider Geoblocking in WordPress
If you see a lot of bot traffic from one place, you can block the whole country. However, I advise caution when using geo-blocking. This is only useful if you don't expect any legitimate users from the location at all.
Also, keep in mind that it can keep good bots out of that region. For example, Googlebot can run from any of their servers in the world, and you definitely want Googlebot to access your site.
9. Disable directory browsing
By default, most of the main WordPress folders and files are publicly accessible through the browser. For example, you can enter yourwebsite.ru/wp-includes into the address bar of your browser, and all the contents of the folder will be immediately visible.
Although directory browsing is not a vulnerability in itself, it can reveal information about a site, which in turn can be used to exploit vulnerabilities.
The /wp-content folder contains plugins and themes, and if a hacker can see which ones are installed and their version numbers, they can potentially find and exploit vulnerabilities. This is a less popular type of brute-force attack called brute-force attack. Therefore, as a precautionary measure, it makes sense to disable directory browsing altogether.
Solutions that you may learn about elsewhere but should not implement on your site
There is a lot of well-intentioned but very bad security advice out there. So, in addition to this list of what to do, I will also list what not to do.
- Protect the wp-admin directory with a password: don't do it at all. It appears in almost every article about brute force prevention. The password protecting the wp-admin directory will break AJAX for unregistered users by restricting access to the admin-ajax.php file. AJAX is often used to support the dynamic aspects of websites. Let's say you have a search bar on your site. If a visitor uses it to search for products, only the search results will reload, not the entire website. This saves a lot of resources and greatly speeds up and improves the user experience of websites. You will also see many workarounds to exclude the admin-ajax.php file, but they do not always work without problems. The bottom line is that the effort that workarounds entail does not reflect a commensurate level of security. So this is a huge step for a little extra benefit.
- wp login url change: This tip is often found in articles on hardening WordPress security. However, I strongly advise against changing the login URL as it is nearly impossible to recover if it is lost. (unless, of course, you have it written down, on a piece of paper lying in a safe)
- Avoid using admin as username: Because brute-force bots effectively try to guess username/password combinations, it makes sense to avoid obvious usernames like admin. WordPress does not allow you to change usernames from the control panel, so you will need to install a plugin to do so. However, this measure is of limited value, and I advise you not to spend too much time and effort on it. There are other ways to recover usernames from certain types of sites, such as membership sites. The effort required to have unique usernames for members, enforce policy, and then deal with the inevitable consequences of people forgetting their unique usernames is not worth the limited benefit.
Impact of a Brute Force Attack in WordPress
There are two ways to think about the consequences of a brute force attack. First, what happens during the attack, and second, what happens if the attack is successful.
Typically, the first question doesn't come up often in attacks because there is little to no impact on the website as it is being attacked. The consequences become apparent after a successful attack. However, this does not apply to brute force attacks.
What happens when your site is brute-forced?
You will see an immediate impact on server resources. Since the attack is bombarding your login page with requests, the server must respond to every one of them. Therefore, you will see all the consequences of increasing server usage on your website: slower website, some users cannot login, downtime, unavailability and so on. Web hosts are also quick to limit server usage as this will affect their performance, especially if you are using shared hosting.
What happens if a brute force attack succeeds?
If the attack is successful, you can reasonably expect malware or some kind of corruption. There are several reasons why hackers want to access your site, and none of them are good.
If that's not enough, your website could become part of a botnet and be used to attack other websites without your consent. This can have serious consequences, as other security systems mark your website as malicious if it is part of a botnet.
Eliminate the effects of WordPress iteration
If a brute force attack was successful, you should assume the worst: your site has been compromised. Therefore, your first priority is to protect your site. Here are the main steps you should take to limit the damage:
- Force logout of all users and change all passwords;
- Scan your site for malware immediately.
Once you've made sure your site is free of malware, take the prevention steps listed above.
Is your site vulnerable to brute force attacks?
Yes, all systems are vulnerable to brute force attacks. Because of the way they work, brute force attacks can be launched against any system with a login page. WordPress websites are no different. The popularity of WordPress makes it a target for hackers.
- First, it's because most of the internet is powered by WordPress.
- Second, because some aspects of WordPress are well known.
In an example particularly relevant to brute-force attacks, WordPress does not restrict invalid login attempts. You can fix this with the login restriction feature with security plugins.
Also, many site owners tend to use usernames and passwords that are easy to remember. Common ones include admin as the username and password1234 or 12345678 as the password. These factors make your site vulnerable to brute force attacks.
Types of brute force attacks
Brute force attacks are different from other types of threats and attacks such as social engineering attacks or XSS attacks. Social engineering attacks such as phishing manipulate people into sharing their credentials by impersonating a trusted person, while XSS attacks exploit vulnerabilities in a website. Brute force attacks rely on weak or stolen credentials to succeed.
You will see several varieties of brute force attacks in the wild. They all follow the same trial and error pattern, but the credentials they try or the mechanism they use may differ. Here are some of the most common types of brute force attacks:
- Simple attacks: Simple brute-force attacks use logic to guess credentials based on their knowledge of the user, such as pet names or birthdays obtained from, for example, social networking sites.
- Filling in credentials: This type of attack exploits hacked data based on the assumption that users tend to use the same usernames and passwords across multiple systems.
- dictionary attack: As the name suggests, these bots use dictionary files for passwords. It can be a real dictionary or one specially created for guessing a password.
- Rainbow table attacks: Similar to a dictionary attack, a rainbow table is a special kind of dictionary list. Instead of a list of passwords, the rainbow table contains a list of hashed passwords.
- Password spraying: This type of attack is logically a brute-force attack. In typical brute force attacks, the target is a specific username, and the guessing game is played with a password. Conversely, in password spraying, a list of passwords is checked against multiple usernames to find a potential match. This is a more distributed attack than a targeted one.
As a site administrator, you may not need to know the differences between different types of brute force attacks. However, these terms are often used interchangeably so it is useful to have an understanding of the underlying mechanisms.
Other Security Best Practices
Preventing WordPress brute force attacks is a great goal, but it's only part of website security. Here are some top tips to help protect your site from malware:
- Install a security plugin with a good malware scanner and cleaner;
- Keep everything up to date (theme, plugins, wp);
- Use daily backups.
Conclusion
Brute force attacks can take a website down even if they are not successful. The best way to deal with this potential threat is to install a firewall with built-in bot protection.
Even if a brute-force attack is successful, the firewall will help you quickly detect malware and remove it. As with all infections, quick action will greatly limit the damage.
Reading this article:
Thanks for reading: SEO HELPER | NICOLA.TOP
