If you’ve never been the victim of a Brute Force Attack, be grateful. And then take steps to prevent it from happening to you.
As a person who has been using WordPress since 2006, I’ve been subjected to this more than once, and it’s frustrating and scary. So let’s start from the beginning.
What is a brute force attack?
A brute force attack is a cyberattack where a hacker tries to break into your website, server, account by systematically submitting passwords repeatedly until one is right. Usually this is done with a bot programmed to randomly enter phrases until one works.
This is not a new thing, it’s been around a long time but it keeps happening because it works. And the #1 reason it works is because people, no matter how many times I lecture them on this topic, insist on using poor passwords. Strong passwords make it much less harder for a brute force attack to be successful.
But even if the brute force doesn’t get in, it’s still troubling because that many attempts to break into a site can use up your server resources and crash your site!
What should you be doing to be proactive against brute force attacks?
Since strong passwords only thwart brute force success, they don’t stop attempts, we need to be both proactive about having strong passwords as well as stopping hackers from even attempting to brute force their way into our websites.
Use Good Web Hosting
When it comes to web hosting, you get what you pay for. If you’re using a $4 a month host, then don’t expect them to be watching or preventing any type of brute force attacks on your site. A good host, particularly one who specializes in WordPress, is going to be on top of that.
Set up Good Security
I use a plugin called iThemes security on sites I create. (Unless they are hosted on a web host that takes care of security already.) This plugin lets you do a number of things to secure your site, but it also has the ability to block brute force attacks.
This has two layers to it – one is local brute force protection. What local protection means is that it prevents people from brute forcing their way into your site based on the configuration of your choosing.
These settings allow you to pick when a user gets stopped from getting in. How many times can they try before they get blocked? Once blocked, how long are they locked out? And my favorite, automatically banning anyone who tries to login with the username of “admin.”
Protip: If your username is admin, change it right now. Go ahead, I’ll wait. You will either have to do it by logging into the database on your server OR you can create a new account with a new username and delete the old one. (And remember, you can’t be logged into the account you’re trying to delete.)
Ok, good, glad you got that fixed up. Admin is the #1 most common username for WordPress sites, so it’s what hackers tend to use to try to break in. If you can ban anyone who tries to login with it, then you are going to stop a lot of attacks.
Next, iThemes also has a Brute Force Network. What this means is that users who have tried to hack into other sites are prevented from trying to get into your site too. You just have to add your site to the network and you’re protected. (It’s just one click!) So definitely take that step.
A few other options:
- Turn on two-factor authentication. What this means is that you can’t login with just a login and password, you have to go through another layer of security to get in, such as using your phone or entering a PIN. iThemes has Two-Factor, but you do have to upgrade from the free version to the pro version to get it. If you want it for free, there are plugins you can add, such as Shield Security and Google Authenticator.
- Use Cloudflare. Cloudflare is company that provides a variety of services, such as firewalls, security and CDNs. And the best part? Is has a free level so you can get many of these protections at no cost. Some web hosts even let you activate it right through your control panel.
Most people never think about brute force attacks until they’ve been a victim of one. You wouldn’t wait to install a smoke detector after your house burns down, so don’t want to protect your site until after it crashes from brute force attacks. Protect yourself now.
Need help? Contact us today for a quote to find out how we can help secure your site.
Amy Masson
Amy is the co-owner, developer, and website strategist for Sumy Designs. She's been making websites with WordPress since 2006 and is passionate about making sure websites are as functional as they are beautiful.