WordPress Brute Force Attack

4 measures to prevent brute force attacks on your WordPress

What are brute force attacks, what do attackers use them for and how do you prevent these attacks on your WordPress? You will surely ask yourself such questions when dealing with this topic. We have collected answers to these questions.

What are brute force attacks?

Brute force attacks are attempts to gain access to your system (in your case probably your WordPress). This is done by trying to guess a username and the corresponding password. After all, this account already has access to the system. 

It is a very simple and primitive method (as the name suggests), which is still very effective. At the same time it is also very easy to prevent.

Which types of brute force attacks exist?

There are small but subtle differences between brute force attacks and their attack scenarios. The most common types can be divided into 5 categories:

  1. simple brute force attack
  2. dictionary attack
  3. hybrid brute force attack
  4. reverse brute force attack / password spraying
  5. credential stuffing

Below we present each of these categories in detail.

"*" indicates required fields

Consent*
This field is for validation and should not be changed.

1. simple brute force attack

The purest form of a brute force attack. It tries every combination of characters one by one - without any research or separate procedure, except simply through counting up or down characters.

WordPress Brute Force Simple Attack
Credit: Matthias Held

This method is simple, but it costs time and a lot of computing power. However, with increasingly powerful processors or the possibility of unleashing many different systems simultaneously on an attack target (for example, using botnets or cloud servers), it is still a valid method. 

There are both lab tests and real world applications that can crack an 8 character password in less than 12 minutes. As technology advances, it will become even faster and easier to get to the target. Therefore, this method remains popular among attackers who have a specific target in mind.

Advantage- Any passwords can be guessed.
Disadvantage- It can take a long time and requires a lot of computing power.

Good defense methods- Use long passwords with a wide range of characters.

2. dictionary attack

Unlike the simple brute force method, the dictionary attack uses an existing record to test.

This can be data from different sources:

  1. actual dictionaries, for example, all the words from the Oxford dictionary.
  2. password lists such as the 10,000 most frequently used passwords.
  3. passwords from past breaches (usernames and passwords from previous hacks of websites and applications).

The first variant is becoming increasingly less important, but the last two have become stronger over the years, because as cyberattacks increase, the amount of data in these lists naturally increases as well.

WordPress Brute Force Dictionary Attack
Credit: Matthias Held

Advantage- Since users like easy to remember passwords, they often make it easy for themselves and use single words from the dictionary or names over and over again on all services, websites, and apps. Therefore, the probability of success is quite high and the method is much faster than a simple brute force.


Disadvantage - Probability of success is no longer at 100%.

Good defense methods: Do not use single words from the dictionary or names, objects or the like. Also, use the same password only for one account and not for several. 

3. hybrid brute force attack

The hybrid brute force attack is a combination of the simple brute force attack and the dictionary attack.


Here a word from the simple brute force is taken and combined with potential numbers that are often used, such as a birth year or wedding anniversary. This drastically limits the number of potential attempts and thus simplifies the attack process.

WordPress Brute Force Hybrid Attack
Credit: Matthias Held

Advantage - This method has the same advantage as the dictionary brute force, only with the number of attempts increased and extended by a high number of attempts with simple addition of characters such as smileys in text form or year numbers(Maga2020 is a famous example).
Disadvantage - Probability of success is no longer at 100%, as with dictionary brute force.

Good defense methods- refrain from using dates or numbers that are important to you in passwords.

4. reverse brute force attack or password spraying

Here attackers try to combine a password with different user names. The user name thus varies, the password remains the same.

WordPress Brute Force Reverse Attack
Credit: Matthias Held

Advantage - As described above, people are inclined to reuse their passwords and use the most memorable ones possible. This also applies to this type of attack. In addition, it is possible to circumvent a lock out (login lock for the account) if too many attempts are made on the same user account.

Disadvantage- This method can lead to many accesses, but maybe not to the accounts you want.

Good defense methods - Since standard lists for user accounts are mostly used here as well (insofar as they cannot be read), it is recommended to choose a hard-to-guess user name with many alphanumeric characters and special characters, just as with the password.

5. credential stuffing

Data from past breaches (see Dictionary Attack, point 2) also plays a role here. Credential stuffing does nothing else than reuse the login data from existing breaches.

For example, if you have used the username yourmail@yourwebsite.com and the password Cola123
somewhere on a website or an app
and this data got out through a breach, attackers will use it to log in to other services and apps as well.

WordPress Brute Force Credential Stuffing
Credit: Matthias Held

This attack has a very high chance of success and is increasingly popular. Therefore, it is also one of the most dangerous at the moment.

You can check if one of your accounts has already been in a breach on the haveibeenpwned.com website.

Raidboxes and breaches

When creating a new user account, Raidboxes checks if the password has been in a Breach before(anonymous and untraceable).

Advantage - The fact that people are creatures of habit comes into play here as well. Most people use the same email address and the same password for many services. This also prevents a lock-out for accounts, as is the case with reverse brute force.

Disadvantage - With this attack, it must be scouted out beforehand again, whether the person whose account you want to get into also uses the service/website/app. If you just want access in the first place, however, it is a very successful method.

Good defense methods- Never use the same login details more than once. Keep them unique everywhere you register.

How do I protect my WordPress website from brute force attacks?

I often read and hear the advice "Just use strong passwords."

This may be true in principle, but with enough time and resources, any login combination can be cracked via brute force if no other protective measures are used.

Also, these attacks mean avoidable load on your server - and this not only hurts your website's loading time, but also your wallet if your host charges by traffic. 

To prevent these attacks from happening in the first place and block access completely is still the best method.

At server level

Action 1- block unauthorized requests to your login form

No matter how secure your login combination is, without further protection and with a lot of time and processing power, it would be cracked.
The most efficient way is actually to create a protection that completely blocks any unauthorized request to your WordPress login form. This way, the automated and manual attacks won't get through in the first place. This will also save your server in the end.

There are several possibilities for this. Not every possibility fits, this depends on how technically savvy you are and how many settings you have in relation to your DNS and server settings. 

Advice - create IP allow list


Protection: 🔒🔒🔒🔒🔒
Technical effort: 🛠️🛠️🛠️

If you access the internet with always the same IP address, because you have your own VPN or have a fixed IP in your agency for example, the safest method is to create an allow list for that IP on the /wp-admin and /wp-login.

Apache

If your web server runs on Apache, add this part to your .htaccess:

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ 

RewriteRule ^(.*)$ - [R=403,L]


Important:
Note that in lines containing REMOTE_ADDR, you only need to replace the DIGITS with the respective digits of your IP.
For example, if your IP is 95.217.228.176, the line should read:

RewriteCond %{REMOTE_ADDR} !^95\.217\.228\.176$

Add a separate line for each permitted IP address. Then restart your Apache service to apply the changes.

Nginx

Add this snippet to your server block of the virtual host file. Again, for each allowed IP address you have to add an allow line.

location = /wp-login.php {

     allow 192.168.1.1; #IP address 1 for each allowed IP address one line

     allow 172.16.1.1; #IP address 2

     deny all;

     include snippets/fastcgi-php.conf;

     fastcgi_pass unix:/run/php/php7.4-fpm.sock;

     }

Restart your nginx service to apply the changes.

Advice - use CDN firewall


Protection: 🔒🔒🔒🔒🔒
Technical effort: 🛠️

CDNs can provide very good protection by configuring the firewall to enable a captcha prompt before the login form.
Here is a tutorial for Cloudflare. You can create up to 5 rules in the free Cloudflare plan. 

1. log in to your Cloudflare-dashboard, go to firewall and create a new firewall rule.

2. the data of the rule are:

WordPress Brute Force CDN Firewall

That's about it.

Advice - create block list via Fail2Ban


Protection: 🔒🔒🔒🔒
Technical effort: 🛠️🛠️🛠️🛠️

If you don't have a fixed IP and don't use a CDN, you can create a blocklist via Fail2Ban. You can find good tutorials here:

Note, however, that you have to adjust this specifically to the /wp-login URL.

Advice - use Raidboxes dashboard

Protection: 🔒🔒🔒🔒🔒
Technical effort: 🛠️

In combination with secure username and password and Raidboxes Single Sign On.

Raidboxes customers already have access to a configurable anti brute force module on each of their instances.
Together with Single Sign On, this is one of the highest security settings you can have without any technical effort.

In WordPress itself

You are very well protected from attacks, if you have followed these steps.
However, if you are unable to apply these solution(s) because you may not have access to your server settings or DNS records for setting up a CDN, here are a few other steps for you.

Action 2 - prevent username enumeration

Before we get into secure passwords, let's start at the beginning - with usernames.

Usernames make up 50 percent of access - and WordPress unfortunately makes it very easy to read the user (login) names for all created accounts with admin rights. And this in an automated way. You can prevent this by either doing it yourself and securing your WordPress - or by installing the following plugins.

Advice - solution via plugins


Protection: 🔒🔒🔒
Technical effort: 🛠️

plugin 1 - Unified Login Error Messages
This plugin suppresses the output of different error messages when login attempts fail. This is because WordPress currently gives a different error message if a username exists or not. This makes it easy to detect if the entered user exists.

plugin 2: Stop User Enumeration
Stop User Enumeration does exactly what it says - It blocks unauthorized requests to your WordPress, for example to read user names via the author archive.

Advice - solution via functions.php

Protection: 🔒🔒🔒
Technical effort: 🛠️🛠️

If you prefer to take control yourself, you can adjust the functions.php of your active theme (please make a backup before).

Add the following code:

PHP code

// If the user is not authenticated as an admin
if (!is_admin()) {
// RegEx to check if the request went to an “/author=INT” endpoint
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();    add_filter('redirect_canonical', 'stop_user_enum', 10, 2);
}
function stop_user_enum($redirect, $request) {
// // RegEx to check if the the request went to an “/author=INT” endpoint but with the permalink furl format
if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die(); else return $redirect;
}

Advice - use Raidboxes dashboard


Protection: 🔒🔒🔒
Technical effort: 🛠️

Raidboxes customers benefit from ready-made solutions at Raidboxes dashboard . There is nothing more to do here other than to activate them.

Action 3 - "Just use strong passwords".

Note: At Raidboxes , when registering a new account, we ask for things when assigning passwords that make brute force queries much more difficult. This includes: 

  • preset minimum length
  • complexity
  • whether the password can be found in the dictionary (English or German)
  • whether it contains a date
  • whether it has been in a known password break before (anonymous and untraceable)

Passwords are deficient, because they can be guessed (brute force), read (key logger etc), read out (due to no or poor encryption/storage in data stores), only recognize the authorization of a terminal device, but not the identity of the person behind it, and are usually difficult to remember (if they are "secure").

For the latter problem, there are password managers like 1Password, BitWarden, KeePass and more. 

When working in a WordPress environment, we have to accept the fact that we have to use passwords.

So what is a "secure" password?

A strong password is a long password with a certain level of complexity. 

Password length is indeed more important than complexity. An 8-character password can be guessed for 25$USD within 12 minutes, even if it is filled with special characters, uppercase letters and numbers.

The following GIF illustrates very well why length has more weight than complexity:

WordPress Brute Force Safe Password
Credit: Intel Security // Intel.com

Also, hackers do not want to invest a lot of money or time for intensive calculations of long passwords. Therefore, as a rule of thumb, the longer your password, the better!

But long and complex passwords are hard to remember!

That's true, but in the age of password managers, we only need to remember one long and complex password and let these managers create and store the rest.

If we have this one password and in the best case change it occasionally, we are on the safe side.

Here's an open secret on how to create long, complex passwords and remember them on the first try:

WordPress Brute Force Complex Passwords
Credit: xkcd.com 

This means we can memorizethis XKCD comic stripand create a long password using one of the following patterns:

Train seat+field path-7eye shot

Or we use complete sentences with a little extra complexity:

I_like_spinach_only_3_times_a_day

We have created a relatively meaningless phrase consisting of special characters and a number, which is very very difficult to guess and yet memorable at the same time (extra points for the rhyme). This is also called a passphrase.

Many password managers, such as BitWarden, create such memorable but complex passphrases for you.

Additionally create a secure username

As mentioned above, 50% of your access is the username.

If an attacker knows this part of the access, then he's halfway through. The only thing left is the password. So don't use usernames like admin, administrator or your name, don't use the name of the website or the domain or anything that has to do with the site itself. 

example

If your site is www.ireallylovecats.com, don't take a name that involves anything to do with cats

Better yet, take the same password trick from above and use a long sentence and add complexity like asphalt/can/also/with/7/spices.

Create password at Raidboxes

Create a password and username with maximum length (in WordPress currently 60 characters for the username, 64 characters for the password, see database properties) and various letters, numbers and special characters - then just use the Single Sign On in Dashboard. Secure login with one click.

Action 4 - security plugins

Advice - all-rounder plugins

Protection: 🔒🔒🔒🔒

Technical effort: 🛠️🛠️ to 🛠️🛠️🛠️

There are a lot of WordPress security plugins on the market, for example:

All these security plugins offer built-in brute force protection and much more. For most WordPress websites, installing and maintaining these plugins will be sufficient protection. Likewise, configuration and maintenance is minimal.

Nevertheless, plugins come with a (in most cases minor) disadvantage: the load of the server by brute force can not be reduced by such plugins. These plugins need a PHP process for checking whether it is a valid access, whether the IP is not on the blocklist

All this puts a load on the server per request. Of course, this is still less than a login attempt itself - and until the server is really affected, the attack must take on almost D/DOS dimensions - but it should not be ignored.

But let's go back to the many advantages of plugins. When always kept up to date, new attacks are quickly detected and mitigated without you having to do anything yourself.

Advice - hide WP login

Protection: 🔒

Technical effort: 🛠️

"Security through obscurity" is a phrase often cited in security for this approach.

It ultimately means trying to stop attacks by simply disguising a problem. This works well in a few cases, since brute force attacks do not go through the login form, but use query parameters to start the login attempts.


Just because the default URL like /wp-admin or /wp-login.* is not accessible, these attacks will not stop.

Conclusion

Hopefully, I was able to explain the different types of brute force attacks and give you advice on how to protect your WordPress from them in the future. If you have any further questions, please feel free to comment!

Did you like the article?

Your rating helps us improve our future content.

Post a comment

Your email address will not be published. Required fields are marked with *.