What are brute force attacks, what do attackers use them for and how can you prevent these attacks on your WordPress? You're probably asking yourself questions like these when you're dealing with this topic. We have collected answers to these questions.
What are brute force attacks?
Brute force attacks are attempts to gain access to your system (in your case, presumably your WordPress). This is done by trying to guess a user name and the corresponding password. After all, this account already has access to the system.
It is a very simple and primitive method (as the name suggests - brute force = blunt force) which is still very effective. At the same time, it is also very easy to prevent.
What types of brute force attacks are there?
There are small but subtle differences between brute force attacks and their attack scenarios. The most common types can be divided into 5 categories:
- Simple brute force attack
- Dictionary Attack
- Hybrid Brute Force Attack
- Reverse Brute Force Attack / Password Spraying
- Credential stuffing
We present each of these categories in detail below.
"*" indicates required fields
1. simple brute force attack
This is the purest form of brute force attack. It tries out any combination of characters one by one - without any research or special procedure other than simply counting characters up or down.
This method is simple, but costs time or a lot of computing power. Nevertheless, it is still a valid method with increasingly powerful processors or the possibility of unleashing many different systems simultaneously on an attack target (for example with the help of botnets or cloud servers).
There are both laboratory tests and real-world applications that can crack an 8-character password in less than 12 minutes. As technology advances, it will become even faster and easier to get to the target. Therefore, this method remains a popular one with attackers who are specifically targeting a particular target.
Advantage: Any password can be guessed.
Disadvantage: It can take a long time and requires a lot of computing power.
Good defense methods: Use long passwords with a wide range of characters.
2. dictionary attack
Unlike the Simple Brute Force method, the Dictionary Attack uses an existing data set for testing.
This can be data from different sources:
- Actual dictionaries, for example, all words from the Duden dictionary.
- Password lists such as the 10,000 most frequently used passwords.
- Passwords from previous breaches (usernames and passwords from previous hacks of websites and applications).
The first variant is becoming less and less important, but the last two have become increasingly important over the years, as the amount of data in these lists naturally increases with the number of cyberattacks.
Advantage: As users like to use passwords that are easy to remember, they often make it easy for themselves and use individual words from the dictionary or names over and over again on all services, websites and apps. The probability of success in gaining access is therefore quite high and the method is significantly faster than a simple brute force.
Disadvantage: Probability of success is no longer 100%.
Good defense methods: Do not use individual words from the dictionary or names, objects or the like. Also, only use the same password for one account and not for several.
3. hybrid brute force attack
The Hybrid Brute Force Attack is a combination of the Simple Brute Force Attack and the Dictionary Attack.
This involves taking a word from the Simple Brute Force and combining it with potential numbers that are often used, such as a year of birth or wedding date. This drastically limits the number of potential attempts and thus simplifies the attack process.
Advantage: This method has the same advantage as the Dictionary Brute Force, only here the number of attempts is increased and extended by a high number of attempts with the simple addition of characters such as smileys in text form or years(Maga2020 is a famous example).
Disadvantage: As with the Dictionary Brute Force, the probability of success is no longer 100%.
Good defense methods: Avoid using data or numbers that are important to you in passwords.
4. reverse brute force attack or password spraying
Attackers try to combine a password with different user names. The user name varies, but the password remains the same.
Advantage: As described above, people tend to reuse their passwords and use the most memorable ones possible. This also applies to this type of attack. In addition, it can be used to bypass a lock-out (login lock for the account) if too many attempts are made on the same user account.
Disadvantage: This method can lead to many accesses, but perhaps not to the accounts you want.
Good defense methods: As standard lists for user accounts are usually used here too (insofar as these cannot be read ), it is advisable to choose a hard-to-guess user name with many alphanumeric characters and special characters, as with the password.
5. credential stuffing
Data from past breaches (see Dictionary Attack, point 2) also plays a role here. Credential stuffing does nothing other than reuse the login data from existing breaches.
For example, if you have used the username [email protected] and the password Cola123
somewhere on a website or app
and this data has been obtained through a breach, attackers will use it to log in to other services and applications.
This attack has a very high chance of success and is becoming increasingly popular. It is therefore currently one of the most dangerous.
You can check whether one of your accounts has already been breached on the website haveibeenpwned.com.
Raidboxes and breaches
When creating a new user account, Raidboxes checks whether the password has already been in a breach(anonymous and untraceable).
Advantage: The fact that people are creatures of habit also comes into play here. Most people use the same email address and password for many services. This also prevents accounts from being locked out, as is the case with reverse brute force.
Disadvantage: With this attack, it is again necessary to find out in advance whether the person whose account you want to access also uses the service/website/app. However, if you simply want access at all, it is a very successful method.
Good defense methods: Never use the same login details more than once. Keep them unique everywhere you register.
How do I protect my WordPress website from brute force attacks?
I often read and hear the advice: "Just use secure passwords."
This may be true in principle, but with enough time and resources, any login combination can be cracked via brute force if no other protective measures are used.
These attacks also mean avoidable load on your server - and this not only damages the loading time of your website, but also your wallet if your host charges according to traffic.
The best method is still to prevent these attacks in the first place and block access completely.
At server level
Measure 1: Block unauthorized requests to your login form
No matter how secure a login combination you use, it will be cracked with a lot of time, computing power and without further protection.
The most efficient way is actually to create protection that completely blocks any unauthorized request to your WordPress login form. This prevents automated and manual attacks from getting through in the first place. Ultimately, this also protects your server.
There are several options for this. Not every option is suitable, this depends on how technically adept you are and how many setting options you have with regard to your DNS and server settings.
Tip: Create IP Allow List
Protection: 🔒🔒🔒🔒🔒
Technical effort: 🛠️🛠️🛠️
If you always access the Internet with the same IP address, for example because you have your own VPN or a fixed IP in your agency, the safest method is to create an allow list for this IP on the /wp-admin and /wp-login.
Apache
If your web server runs on Apache, add this part to your .htaccess:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
Important: Note that in the lines that contain REMOTE_ADDR, you only need to replace the NUMBERS with the respective numbers of your IP.
For example, if your IP were 95.217.228.176, the line would read:
RewriteCond %{REMOTE_ADDR} !^95\.217\.228\.176$
Add a separate line for each permitted IP address. Then restart your Apache service so that the changes are applied.
Nginx
Add this snippet to your server block of the virtual host file. Again, you must add an allow line for each permitted IP address.
location = /wp-login.php {
allow 192.168.1.1; #IP address 1 one line for each permitted IP address
allow 172.16.1.1; #IP address 2
deny all;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
Restart your nginx service so that the changes are applied.
Tip: Use a CDN firewall
Protection: 🔒🔒🔒🔒🔒
Technical effort: 🛠️
CDNs can offer very good protection by configuring the firewall so that it activates a Captcha query before the login form.
Here is a tutorial for Cloudflare. In the free Cloudflare plan you can create up to 5 rules.
1. log in to your Cloudflare dashboard, go to Firewall and create a new firewall rule.
2. the dates of the rule are:
That was it already.
Tip: Create blocklist via Fail2Ban
Protection: 🔒🔒🔒🔒
Technical effort: 🛠️🛠️🛠️🛠️
If you don't have a fixed IP and don't use a CDN, you can create a blocklist via Fail2Ban. You can find good tutorials here:
Please note, however, that you must adapt this specifically to the /wp-login URL.
Tip: Use Raidboxes Dashboard
Protection: 🔒🔒🔒🔒🔒
Technical effort: 🛠️
In combination with secure username and password and Raidboxes Single Sign On.
Raidboxes customers already have a configurable Anti Brute Force module on each of their instances.
Together with the Single Sign On, this is one of the highest security settings you can have, without any technical effort.
In WordPress itself
If you have followed these steps, you are very well protected against attacks.
However, if you are unable to apply these solution(s) because you may not have access to your server settings or DNS records for setting up a CDN, I have a few other steps for you here.
Measure 2: Prevent username enumeration
Before we turn our attention to secure passwords, let's start at the beginning: with the username.
usernames account for 50 percent of access - and WordPress unfortunately makes it very easy to read the user (login) name for all accounts created with admin rights. And this is automated. You can prevent this by either doing it yourself and securing your WordPress - or by installing the following plugins.
Tip: Solution via plugins
Protection: 🔒🔒🔒🔒
Technical effort: 🛠️
Plugin 1: Unified Login Error Messages
This plugin suppresses the output of different error messages in the event of incorrect login attempts. This is because WordPress currently issues a different error message if a user name exists or does not exist. This makes it easy to recognize whether the entered user exists.
Plugin 2: Stop User Enumeration
Stop User Enumeration does exactly what it says: It blocks unauthorized requests to your WordPress, for example to read out usernames via the author archive.
Tip: Solution via functions.php
Protection: 🔒🔒🔒🔒
Technical effort: 🛠️🛠️
If you prefer to take control yourself, you can adjust the functions.php of your active theme (please make a backup beforehand).
Add the following code:
PHP code
// If the user is not authenticated as an admin
if (!is_admin()) {
// RegEx to check if the request went to an “/author=INT” endpoint
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die(); add_filter('redirect_canonical', 'stop_user_enum', 10, 2);
}
function stop_user_enum($redirect, $request) {
// // RegEx to check if the the request went to an “/author=INT” endpoint but with the permalink furl format
if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die(); else return $redirect;
}
Tip: Use Raidboxes Dashboard
Protection: 🔒🔒🔒🔒
Technical effort: 🛠️
Raidboxes customers benefit from ready-made solutions in the Raidboxes dashboard. There is nothing more to do than to set them up.
Measure 3: "Just use secure passwords"
Note: At Raidboxes, when registering a new account, we ask for things that make brute force queries much more difficult. This includes:
- Specified minimum length
- Complexity
- whether the password can be found in the dictionary (English or German)
- whether it contains a date
- whether it has ever been in a known password breach (anonymous and untraceable)
Passwords are deficient because they can be guessed (brute force), read (key logger etc), read (due to no or poor encryption/storage in data storage), only recognize the authorization of an end device, but not the identity of the person behind it and are usually difficult to remember (if they are "secure").
For the latter problem, there are password managers such as 1Password, BitWarden, KeePass and more.
When we are in the WordPress environment, we have to accept the fact that we have to use passwords.
So what is a "secure" password?
A secure password is a long password that has a certain degree of complexity.
Yes, password length is more important than complexity. An 8-character password can be guessed for 25$USD within 12 minutes, even if it consists of lots of special characters, upper and lower case letters and numbers.
The following GIF illustrates very well why length is more important than complexity:
Hackers also have no desire to invest a lot of money or time in intensive calculations for long passwords. So the rule of thumb is: the longer your password, the better!
But long and complex passwords are hard to remember!
That's true, but in times of password managers we only need to remember one long and complex password and let these managers create and save the rest.
If we have this one password and, ideally, change it occasionally, we are on the safe side.
Here's an open secret on how to create long, complex passwords and remember them straight away:
This means we can take this XKCD comic strip to heart and create a long password using one of the following patterns:
Zugsitz+Feldweg-7Augenschlag
Or we use whole sentences with a little extra complexity:
I_only_like_spinach_3_times_a_day
We have created a relatively meaningless sentence with special characters and a number, which is very difficult to guess and yet memorable (plus points for the rhyme). This is also called a passphrase.
Many password managers, such as BitWarden, create such memorable but complex passphrases for you.
Addition: Use a secure user name
As mentioned above: 50 percent of your access is the user name.
If an attacker knows this part of the access, then half the job is done. All that remains is the password. So don't use usernames like admin, administrator or your name, don't use the name of the website or the domain or anything to do with the site itself.
Example
If your site is called www.ireallylovecats.com, don't use a name that has anything to do with cats.
Better yet, take the same password trick from above and use a long sentence and add complexity like asphalt/can/also/with/7/spice.
Create password with Raidboxes
Create a password and user name with a maximum length (in WordPress currently 60 characters for the user name and 64 characters for the password, see database properties) and lots of letters, numbers and special characters - then simply use the single sign-on in the dashboard. Secure login with one click.
Measure 4: Security plugins
Tip: All-rounder plugins
Protection: 🔒🔒🔒🔒
Technical effort: 🛠️🛠️ to 🛠️🛠️🛠️
There are a lot of WordPress security plugins on the market, for example:
All of these security plugins offer built-in brute force protection and much more. For most WordPress websites, the installation and maintenance of these plugins will suffice as protection. Configuration and maintenance is also minimal.
Nevertheless, plugins have one (in most cases small) disadvantage: the load on the server due to brute force cannot be reduced by such plugins. These plugins require a PHP process to check whether the access is valid and whether the IP is not on the blocklist
All this puts a load on the server per request. Of course, still less than a login attempt itself - and until the server is really affected, the attack has to take on almost D/DOS dimensions - but it should not be ignored.
But back to the many advantages of the plugins: If they are always kept up to date, new types of attacks are quickly detected and mitigated without you having to do anything yourself.
Tip: Hide WP login
Protection: 🔒
Technical effort: 🛠️
"Security through obscurity" is a phrase often used in security to describe this method.
Ultimately, this means trying to prevent attacks by simply disguising a problem. This works well in a few cases, as brute force attacks do not go through the login form, but use query parameters to start the login attempts.
Just because the standard URL such as /wp-admin or /wp-login.* is not accessible, these attacks will not stop.
Conclusion
I hope I was able to explain the different types of brute force attacks and give you tips on how to protect your WordPress against them in the future. If you have any further questions, we look forward to your comment!