Brute Force Attack
A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected on the Network). It tries various combinations of usernames and passwords again and again until it gets in. The most common applications for brute force attacks are cracking passwords and cracking encryption keys (keep reading to learn more about encryption keys). Other common targets for brute force attacks are API keys and SSH logins.
The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These attacks tend to be somewhat outdated, given newer and more effective techniques. Recent computers manufactured within the last 10 years can brute force crack an 8 character alphanumeric password – capitals and lowercase letters, numbers, and special characters in about two hours.
Usually, Attack is done to get control of WordPress admin. It is through obtaining usernames and passwords. So usually an Brute Force attack occurs on the WordPress login page.
How to Defend Against Brute Force Attacks
Step 1: Increase password length and complexity
More characters equal more time to brute force crack, also More options for each character Makes it increase the time. As you know in the news, it’s easy to hack 8 character lengths password. For this reason, we recommend using passwords of 13 characters lenght or more. Also using capitals and lowercase letters, numbers, and special characters Will make more security.
Step 2 : Implement Captcha
Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress. In WordPress, have the best plugins for creating and implementing Captcha on the login page. We suggest using Google ReCaptcha, Because we think Does not exist Smart&Auto program can easily detect it.
List of some WordPress plugins:
- Google Captcha (reCAPTCHA) by BestWebSoft
- Login No Captcha reCAPTCHA
- Math Captcha
- Captcha Code
- Captcha by BestWebSoft
Note: To activate Google ReCaptcha, you first log into Google ReCaptcha with your Google account. After registering your website, SiteKey and SecretKey is Placed in the Plugin.
Step 3: Limit login attempts
brute force attacks increment a counter of failed login attempts. a good defense against brute force attacks is to lock out users after a few failed attempts. To limit failed login attempts, We Recommend use WordPress security plugins, or use cloud-based CDN Services. Cloud CDN services easily detect and repel attacks because they monitor the behavior of site users.
WordPress Security Plugins:
- Wordfence Security – Firewall & Malware Scan
- iThemes Security (formerly Better WP Security)
- All In One WP Security & Firewall
- Sucuri Security – Auditing, Malware Scanner and Security Hardening
- Jetpack by WordPress.com (this plugin is the powerful all in one wordpress tools. The ideal plugin for stats, related posts, search engine optimization, social sharing, protection, backups, security.)
Ultimately, the use of cloud services such as CloudFlare can help you Powerful secure your WordPress site.