A brute force attack is a trial-and-error method in which the hackers aim to gain access to a website by trying different combinations of usernames and passwords until they get in. These attacks focus on websites having weak security links. For example, these attacks mainly happen to a website using a weak username and passwords like ‘admin’ and ‘12345’.
Brute Force attack can run out of the server memory as the number of HTTP requests becomes high. Furthermore, this can lead to a performance issue on the website. The number of HTTP requests is the number of times someone visits our website.
How to Prevent Brute Force Attacks
These hackers hammer the ‘wp-login.php’ file over and over again until the website is accessible or the server dies. We can prevent brute force attacks using the following measures:
1) ALWAYS USE UNUSUAL USERNAME
In the early version of WordPress, the username ‘admin’ was a default, so the hackers assume that most of the people are using the same now. It is always advisable to change the username using the “Change Username” plugin. Try not to keep an easy username like “admin” or “administrator” or “boss”. Make sure it is unusual so that no one can guess your username.
2) CREATE COMPLEX AND STRONG PASSWORD
It is always recommended to have a secure password, which prevents others from guessing your password and can avoid a brute force attack. There are many ‘automatic password generators’ available which can be used to generate a secure password. The WordPress password strength meter feature ensures the password strength is adequate while changing the same. The ‘Force Strong Password’ plugin can help users to set strong passwords.
Some of the things which need to be kept in mind while choosing a password are:
- Avoid using any permutation of your name, username, company name, or name of your website.
- Don’t use any word from a dictionary, in any language.
- Avoid using Short Passwords.
- Always try to use alpha-numeric passwords.
It is always recommended to enable “Two-Step Authentication” on your website for more security.
3) USE SECURITY PLUGINS
There are many plugins available for WordPress to limit the number of login attempts made to the website like Limit Login Attempts, IP Geo Block, etc. Also, you can completely block someone from accessing wp-admin by using different plugins like Loginizer, WP Custom Admin Interface, Admin Menu Editor, etc.
4) PASSWORD PROTECT WP-LOGIN.PHP FILE
The password protection of your ‘wp-login.php’ file can add an extra layer of security to your site. For the same, you can create a ‘.htpasswd’ file. This file can be created under your public folder or in the same folder of .htaccess, but if you are adding it under the same folder as that of .htaccess, then you need to add some extra security to the .htaccess file.
After uploading the .htpasswd
file to the server, you have to include it in the.htaccess
file in order to protect some routes on your website. For instance, if you have uploaded the htpasswd file in the home directory containing asecretuser
the user, add the following code to your htaccess file.
# stop Apache from serving .ht* files
<Files ~ “^\.ht”>
Order allow, deny
Deny from all
</Files>
# Protect wp-login.php
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Private access”
AuthType Basic
require user asecretuser
</Files>
The “AuthUserFile” location depends on your server, and also the “require user” details changes based on what username you pick.
By using the ‘HttpAuthBasicModule’, we can protect the wp-login.php file in Nginx by adding the following block inside your server block.
Location /wp-login.php {
auth_basic “Administrator Login”;
auth_basic_user_file .htpasswd;
}
The .htpasswd
filename path is related to the ‘nginx.conf’ file and the files should be in the following format:
user:pass
user2:pass2
user3:pass3
The passwords must encode by function crypt(3), so you can use the ‘htpasswd generator’ to encrypt your password.
5) LIMIT ACCESS TO WP-LOGIN.PHP BY IP
If you have a fixed IP address to log in to your Admin area, then you can deny wp-login.php access to others using ‘.htaccess’ or ‘web.config file’. This process is known as IP whitelist.
To allow only one IP address (e.g., 203.0.113.15) to access the admin area, you can create a file with the name .htaccess and add the following code:
# Block access to wp-login.php
<Files wp-login.php>
order deny,allow
allow from 100.00.00.01
deny from all
</Files>
If you want to add pre than one allowed IP address, we can edit the .htaccess file as below.
# Block access to wp-login.php
<Files wp-login.php>
order deny,allow
allow from 100.00.00.01
allow from 100.00.00.02
allow from 100.00.00.03
deny from all
</Files>
If you are using Apache 2.4 and Apache module, then the syntax is different:
# Block access to wp-login.php
<Files wp-login.php>
Require ip 100.00.00.01
</Files>
To access the admin using multiple IP addresses in Apache 2.4, you can add:
# Block access to wp-login.php
<Files wp-login.php>
Require ip 100.00.00.01 100.00.00.02 100.00.00.03
# or for the entire network:
# Require ip 100.00.00.0/255.255.255.0
</Files>
6) DENY ACCESS TO NO REFERRER REQUESTS
The Spam login attack can be prevented by adding the following block into the ‘.htaccess’ file.
# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>
7) BLOCKLISTS
As per the study, most of the brute force attacks are from hosts from Russia, Kazakhstan, and Ukraine. So, we can block the IP-addresses that originate from these countries. We can download blocklists from the internet, and then we can load block rules with iptables using some shell scripting. Blocking an entire countries IP address cannot be done if your website is global; that time, you can add the well-known spammer’s IP-addresses to the iptables. This table needs to be updated regularly.
8) CLOUD/PROXY SERVICES
Some services like Cloudflare and Sucuri CloudProxy can help to reduce these attacks by blocking the IPs before they reach the server.