How To Protect Your WordPress Website From Brute Force AttacksPosted by TotalDC
WordPress is one of the most popular Content Management System (CMS) available. Its popularity is the reason why it is highly targeted by attackers.
What is a Brute Force Attack?
Brute force attack or brute forcing is one of leading causes of website compromises and is similar to a trial and error method. The objective of the attacker is to gain access to the server level of your website by using various username and password combinations repeatedly until it succeeds.
Brute Force Attack is and attack to the weakest link in a website’s security. Sucuri, a security company focusing on spotting and repairing compromised websites, reports at least 770000 brute force attacks (that is a lot) every hour.
Types of Brute Force Attacks
There are many variants of this attack to increase its success rate. Here are the most common:
Simple Brute Force Attack
A simple brute force attack can use different methods like iterating through all possible passwords. This is commonly used on local files where there are no limits to the numbers of attempts you have.
This attack uses list of words and common passwords instead of going randomly, building a list of possible passwords and iterating through them. Using a good password list can help to improve the attackers success rates, but again these attacks require a large number of attempts.
Hybrid Brute Force Attack
A hybrid attack uses both the dictionary attack and a regular iterative pattern. Instead of trying all passwords it will perform small modifications to words in a dictionary such as adding numbers or changing the case of letters.
With a growing amount of data breaches, password reuse is an easy way to compromise specific accounts reusing passwords. Credential stuffing attacks have low rate of success and primarily rely on lists of usernames and passwords commonly found from data breaches. Basically hackers are just using these lists to attempt to log in with these stolen credentials.
Reverse Brute Force Attack
In this method, the attacker will try to use one password and try to match it against many user names.
How to Prevent Brute Force Attacks
A Brute Force Attack can be minimized, if not avoided, as long as you follow these steps.
Keep Everything Updated
WordPress themes and other plugins update their version to keep safe from vulnerabilities and to fix bugs. Updating will help to protect your website from know exploits. You have to make sure that you keep a backup before doing updates. You may want to look for updates for WordPress version, theme, and plugins.
Use Strong Passwords and Change Them Regularly
You guest it right. The best way to protect your site is to use strong passwords and making sure not to keep the same password for a long time. If your website has multiple login accounts, it’s important to make sure that all your users follow these rules in making strong passwords:
- Keep your passwords long. Use a minimum of 8 characters.
- Keep it complex. Do not use dictionary words.
- Keep it mixed. Use a combination of numbers, upper- and lower-case alphabets and non-alphanumeric characters.
- Check if your password is a common password.
Avoid Common Usernames
This is especially important for administrator accounts. You don’t want to use default username “admin” or any similar usernames containing the same word. Doing so will significantly increase chance of your website being attacked by hackers.
Use Two Way Authentication
For additional security you can activate two way authentication. The only con to this is that you would need to have your phone with you all the time.
What if Someone Already Hacked Your Website?
You can still recover from this miserable event. Try to regain admin access of your site. If your password was changed, you can simply get access again by using the ‘forgot password’ option. If this has failed, get in touch with your hosting provider.
Change All Your Backend Passwords
This is super important thing to to when you regain access to your hacked website. You have to make sure that you use strong password so you can avoid further damage being done to your website.
Identify the Damage Done
Scan your website with online malware scanners like Google’s Safe Browsing.
Restore from Backup
If you keep regular backups, you can restore your most recent backup just make sure the backup that you chose was from before your website was hacked.
Check and Change User Permissions
Checking user permissions, especially if there are many accounts that can access admin settings, should be done to prevent other users access while you are fixing your site.
Secure your wp-config.php file and close all the backdoors that the hacker may have left. You will need professional help for this.
Your website being compromised is one of the worst experiences website manager can go through. So planning ahead and hardening your websites security should never be taken lightly.