With billions of individual attacks per year, Brute Force attacks are arguably the greatest threat to WordPress sites . Fortunately, this type of attack is also very clumsy and easy to trick. We'll show you four simple and quick measures against the hacker attacks. And also three more complex protection mechanisms.
In April 2017 alone, security vendor Wordfence countedmore than one billion Brute Force attacks on WordPress sites worldwide. And that is only an approximation - the number of unreported cases is significantly higher. This means that the attacks, which attempt to automatically guess passwords and usernames, pose a major threat to WordPress sites worldwide. But not only that. Because over 37.5 percent of the 10 million largest websites currently run at WordPress . And that means that the question of effective protection mechanisms for WordPress also concerns the Internet as a whole.
If you want to know exactly how Brute Force attacks work and how dangerous they are, check out our background article on Brute Force attacks.
Despite their large number, there is one good news: There are useful security measures against Brute Force attacks that you can implement yourself without much effort and above all without any programming knowledge. And there are measures that at least require a basic knowledge of how to handle the .htaccess file.
These seven measures are the subject of today's debate:
- Strong passwords (very important!)
- Do not use "admin" as a username
- Limit the number of invalid logins
- Two-factor authentication
- Multilevel login
- Hide login area (is controversial)
1. use a strong password
A strong password is extremely important as protection against Brute Force attacks. Bots and botnets use huge password databases for their "guessing games". These are tried out bluntly. The more unusual and difficult your password, the greater the likelihood that it will not appear in it.
The longer and more difficult your password, the longer it will take bots to crack it if they also try to guess the password without a list.
So your password should contain various combinations of characters from the ...
- 10 different numbers (0 to 9)
- 52 different letters (A to Z and a to z)
- 32 different special characters ...
... and be at least 8 characters long.
The password manager Passwort-Depot provides some illustrative calculation examples. Here it is assumed that a strong single computer can generate two billion passwords per second. In concrete terms, this means:
- A password consisting of 5 characters (3 lower case letters, 2 numbers) has 60 466 176 possible combinations and can thus be cracked in 0.03 seconds.
- A password with 8 characters (4 lower case letters, 2 special characters, 2 numbers) already has 457 163 239 653 376 possible combinations. Here the calculator needs about two and a half days.
- And a password consisting of 12 characters (3 upper case letters, 4 lower case letters, 3 special characters, 2 numbers) has a staggering 475 920 314 814 253 376 475 136 possible combinations. It takes a single computer 7.5 million years to crack this password.
The WordPress codex recommends the Plugin Force Strong Passwords for the creation of such passwords. This forces users to choose appropriately complex passwords. This Plugin does not directly make sites more secure, but it does educate users to use strong passwords. And especially if you work on behalf of a customer, this small measure can be very practical.
You don't have to remember the passwords!
Password managers help you to create and manage secure passwords. All you have to do is remember a master password (as complex as possible, of course). The program does the rest for you. Apple computers already have an application called "Keychain Manager" installed. Cloud-based password management programs such as 1Password, LastPass or KeyPass work in the same way.
So you don't have to remember all your passwords. Especially if you manage more than one site and use a variety of services, a professional password management is a blessing.
2. do not use the username "admin
As already mentioned: Brute Force attacks are basically guessing attempts. You should therefore make it as difficult as possible for the hackers to guess your username. Therefore, do not use the username "admin" preset by WordPress - and therefore do not use the one that the system has preset for you. This username is of course also the default for all other WordPress users.
3. lock the login-site after too many failed attempts
Brute Force attacks test thousands and thousands of combinations of user names and passwords. Conversely, this means that you generate thousands and thousands of login attempts to limit.
Your server will notice that something is going on. With an appropriate Plugin you can define that access is blocked after a certain number of failed attempts, so that hackers have to put their attack on hold. You can implement this protection with a Plugin like WP Limit Login Attempts or Limit Login Attempts Reloaded.
At Raidboxes , every WordPress installation has the function to limit login attempts integrated by default. If a person or a bot tries to log in to your sitetoo often with the wrong access data, we initially block the IP in question for 20 minutes. If the login attempts with false data continue, the IP will even be blocked for 24 hours. Of course, you can also define the number of attempts and the blocking period yourself.
Limit Login Attempts and Co. have an expiration date
However, there is one important thing to understand about this Plugins : Limiting the login attempts of an IP address has a serious flaw. It cannot anticipate the changing of an IP address. This means that botnet attacks, for example, can only be defended against poorly, if at all. With the new generation of IP addresses (IPv6 addresses), a single attacker can also change his IP address in fractions of a second. This fact increases the danger posed by botnet attacks.
And: A large number of the Brute Force attacks should not be mere guessing games. As the calculation in the section on secure passwords shows, even a botnet with a million devices cannot guess secure passwords. That is why many hackers work with password lists. This reduces the number of login attempts to the possible combinations of the respective password library.
Although the limitation of login attempts per IPstill makes sense, the importance of this security mechanism will rapidly decrease in the future. The only truly secure protection mechanism against attacks with changing IPs is two-factor authentication.
4. two-factor authentication
The idea behind the concept of two-factor authentication is to require a second confirmation in addition to the password when logging in. This is usually another alphanumeric code. The special thing about this is that it is transmitted outside the actual login process - for example, via a code generator or a mobile phone. And only the owner of this device is ultimately able to log in.
With the Google app Google Authenticator and a corresponding Plugin , extended authentication can be implemented relatively easily for WordPress . Frequently used are, for example, the Plugins Google Authent icator by Hendrik Schack or Google Authenticator by miniOrange.
To install the additional security protection, download the Google app to your smartphone and install the Plugin in WordPress . A QR code is now generated here, which you scan with the app. Alternatively, you can create the account manually. Now your WordPress user account and the app are linked on your mobile phone.
The app now generates a new security code every 30 seconds. Every user for whom two-factor authentication is activated will now see the line "Google Authenticator Code" next to "Username" and "Password" in the login area. So to log in, he needs the smartphone on which the codes are generated. Large security plugins such as Wordfence offer a similar mechanism in some cases.
The process of double authentication may sound complex, but from a security point of view it is a very good protection against Brute Force attacks. Especially in view of the change from IPv4 to IPv6 addresses mentioned above.
Strong passwords, changing the username, Plugins like Limit Login Attempts and two-factor authentication are all measures that you can implement easily, quickly and without programming knowledge. And most importantly, additional authentication and truly strong passwords also effectively protect against Brute Force attacks.
But if you want, you can do even more. You can secure your WP admin area with an additional password, create a blacklist or whitelist, or even hide your WP admin area. However, all these measures tend not to offer more security, but are rather to be understood as options or alternatives.
5. additional password protection
If you run your WordPress site on an Apache server, you have the possibility to implement a multi-level login procedure without Plugin . This is because every WordPress installation on an Apache server contains a so-called .htaccess file. In this file you can store code for an additional HTTP authentication, in order to build in an additional password protection of the login-site . The server requires a password to even let visitors through to the login screen.
# Protect wp-login AuthUserFile ~/.htpasswd AuthName "Private access AuthType Basic require user mysecretuser
With this command, a password query is generated before the wp-admin area can even be accessed. Here you enter an additional username and password to access the login area at all. However, the data for the additional user must be defined in the .htpasswd. To do this, the username and password must be added to the file in encrypted form. The WordPress codex explains how this process basically works.
6. blacklisting & whitelisting
Speaking of .htaccess: You can implement another powerful protection with this file. A few lines of code make sure that only certain IPs have access to the WordPress dashboard or individual directories.
To do this, you store an additional .htaccess with the following code in the appropriate directory - preferably wp-admin:
# Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all
x.x.x.x must of course be replaced with the IPs that should have access to site . The example shows a whitelist, i.e. a list of IPs that are allowed to access the site . This blocks the loginsite for all other IPs. By the way, the order of the commands - "allow" followed by "deny" - is extremely important, because they are executed in order. If "deny from all" comes first, you will also be faced with closed doors.
A blacklist would implement the exact opposite mechanism: It would determine which IPs are not allowed to access site . Of course, there are also plugin solutions for both. For example, well-known security plugins, such as All In One WP Security, Wordfence or Sucuri, each offer a blacklist or whitelist function. However, it should be noted that these three Plugins can of course do much more than just create blaklists, or whitelists. Therefore, you should not install them exclusively for these functions. A popular alternative would be Plugin Loginizer, which currently has more than 500,000 active installations.
7. hide the login area
Brute Force Attacks attack your loginsite . A very simple way to prevent these attacks is to prevent the attackers from accessing the login pagesite in the first place. For this purpose, some webmasters hide the login mask. The login area is then only accessible via a secret URL.
This measure follows the (controversial) principle of security through obscurity and is not a sensible security measure on its own. We at Raidboxes are not big friends of this principle. If you implement the above-mentioned measures, you have already secured your login area very well and do not need to move it additionally. However, this measure can contribute to the perceived security, which can be especially important for the perception of your customers.
- WPS Hide Login (100,000+ active installations)
- Protect Your Admin (20,000+ active installations)
- Cerber Security & Limit Login Attempts (40,000+ active installations)
As said: In our opinion, hiding the wp-admin is not a sensible measure - at least not to protect your site from Brute Force attacks. If you have chosen a strong password and implemented a sensible IP exclusion procedure or two-factor authentication, then you have already significantly reduced the risk of a successful Brute Force attack.
With a current market share of over 32 percent, WordPress is by far the largest CMS worldwide. This is unlikely to change in the future. The probability of becoming the target of a Brute Force attack is therefore, purely mathematically, extremely high. You have to be aware of that. Fortunately, you can also protect yourself from them very easily. Because a few measures, i.e. secure passwords and two-factor authentication, can be implemented in a few moments and completely without programming knowledge.
And even the supposedly more difficult measures, such as blacklisting or whitelisting, an additional password protection or blocking mechanism for the login area can be implemented with Plugins . So if you just follow the first three or four points of this post, you are already well protected against Brute Force attacks. Of course, you can always do more, i.e. create additional password protection or set up blacklists or whitelists. But in such cases, you should weigh up whether the additional security mechanisms are really worth it, especially with regard to the administration effort.