In the world of Cyber crimes, brute force attack is an activity which involves repetitive successive attempts of trying various password combinations to break into any website. This attempt is carried out vigorously by the hackers who also make use of bots they have installed maliciously in other computers to boost the computing power required to run such type of attacks.
So, what is a Brute Force Attack then?
A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected). It tries various combinations of usernames and passwords again and again until it gets in. This repetitive action is like an army attacking a fort.
Now, you’ll think: “Wow that’s easy, I can do that too.”
You can try it out for sure!
Usually, every common ID (for e.g. “admin”) has a password. All you need to do is try to guess the password. Let’s say if it’s a 2-digit-pin, you have 10 numeric digits from 0 to 9. This means there are 100 possibilities. You can figure this out with pen and paper like Mr. Bean who tried to find correct last two digits of the phone number of the lost kid’s father in the movie, Mr. Bean’s Holiday.
But, the truth is that no password in the world consists of only 2 characters. Even, the pin numbers (a sort of password) used on mobile phones or in a bank consist of minimum 4 characters.
And, on the internet, 8 is generally the standard number for shortest length of a password. Furthermore, complexity is added as alphabets are added within a password to make it more secure. By the way, alphabets can be used in both UPPER and lower cases, thus making a password case sensitive.
Let’s say if we have an alphanumeric 8-character password, how many possible combinations could be made? There are 26 alphabets in English. Double them for both UPPER and lower cases and the count settles on 26+26 = 52.
Then we add the numeric digits: 52+10 = 62
So, we have 62 characters in total.
For 8-character-password, it will be 628 which will make 2.1834011×1014 possible combinations.
If we attempt 218 trillion combinations at one try per second, it would take 218 trillion seconds or 3.6 trillion minutes. To put it simply, just around 7 million years would be required to crack the password with the final combination. Surely, it can take less, but 7 million years is the maximum time limit to crack an alphanumeric 8-character password.
Well, you ain’t gonna live that long.
Then, how it can happen?
Well, if you are interested in cracking passwords, you will have to use computers. To do that, you need to write some simple lines of code. Such programming skills are basic to any coder.
Now, suppose that you have developed a password breaking program that tries 1,000 combinations per second. The time reduces to 7 thousand years.
Well, you need a supercomputer. So, let’s say you get a supercomputer that can try 1×109 attempts per second. In just 22 seconds, all 218 trillions attempts will be tested. (Hopefully, you’ll be inside the account, but if the password is 9 characters long, you’ll have to wait for a few more moments.)
Computing resources of this kind are not available to common people. However, password hackers are not common people. They can collect computing resources by different means, for e.g. by developing a powerful computing engine via software, etc.
Furthermore, the calculation above is for all the possible combinations of an 8-character-password. But, what if your password is the 10th combination or the 100th combination? This is why it is essential to have additional layers of security in order to detect and deflect any password breaching attempt.
Hacker’s motive behind the act.
Behind brute force attack, hacker’s motive is to gain illegal access to a targeted website and utilize it in either executing another kind of attack or stealing valuable data or simply shut it down. It is also possible that the attacker infect the targeted site with malicious scripts for long term objectives without even touching a single thing and leaving no trace behind. Therefore, it is recommended to run frequent scans and follow best practices to secure your WordPress site.
That’s scary! What to do now?
There are many tools available for securing different applications which will deny a user after a predefined number of attempts.
Recently, an exponential increase in brute force attacks has been observed. These attacks emerge from multiple countries around the world and they are getting more sophisticated with each passing day. Therefore, we should all try to be vigilant.
WordPress is a widely used open source web development platform. Over 30% of the websites are powered by this platform. Due to its popularity, it is also a favorite target of hackers. In order to accommodate maximum number of security parameters; I have listed down a few effective techniques to prevent your WordPress site from Brute Force attack.
How Can I Prevent It?
Yes, you can take some precautionary measures:
- Password Length.
- Password Complexity.
- Limit Login Attempts.
- Modifying .htaccess file.
- Using Captcha.
- Two Factor Authentication.
The first step towards Brute Force Attack prevention should be longer password length. Nowadays many websites and platforms enforce their users to create a password of certain length (8 – 16 characters).
Another important thing is to create a complex password. It is not recommended to create passwords like ‘ilovemycountry’ or ‘password123456’; instead your password should consist of UPPERCASE and lowercase alphabets and should also have numbers and special characters. Complexity of the password delays the cracking process.
Limit Login Attempts:
Simple yet very powerful action is to limit the login attempts on your WordPress admin or any other admin panel for that matter. For example if your website receives five failed login attempts; it should block that IP for a certain period of time to stop further attempts being made.
Modifying .htaccess file:
Adding a few rules in .htaccess file can further harden the security of your WordPress site. Objective is to allow access to wp-admin to only specific IP addresses listed in .htaccess file.
To do so, open your .htaccess file and modify it like:
<Files /wp-login> order deny,allow allow from IP1 allow from IP2 deny from all </Files>
IP1 and IP2 will be the IPs you allowed access to.
Captchas are now commonly used in websites. They prevent bots from executing automated scripts mainly used in Brute Force attack. Installing captcha in your WordPress site is fairly easy.
Install Google invisible reCaptcha plugin and link in to your Google account. Now go back to plugin setting page and define the places where you would like the user to get captcha first before performing the actual task. This plugin also supports WooCommerce, BuddyPress and custom forms.
For additional information please refer to the WordPress security with Google Invisible reCaptcha plugin.
Two Factor Authentication:
Two Factor Authentication is an extra line of defence which can defend your account from Brute Force Attack. Chances of successfully executing Brute Force attack on 2FA protected sites are very thin. There are various ways to implement 2FA in your WordPress site. Easiest way is to use any of the top WordPress plugins for two factor authentication.
Cloudflare is a renowned service for WordPress that usually deals with CDN and caching. It also offers a protective shield against Brute Force Attacks. Through Cloudflare settings, user can set rules for accessing login pages and set Browser Integrity Check.
If you already use Cloudflare then I suggest you to check out this guide to protect your WordPress site from Brute Force attack.
Other best practices are:
- Unique password for each account.
- Frequent password change.
- Avoid sharing credentials through insecure channels.
Am I safe on Cloudways?
Yes. At Cloudways, we stay on our toes when it comes to server security. Our security system is capable of identifying brute force attacks and banning IPs being used in such attacks. Keeping servers managed on our platform is one of our main priorities.
During the past few months, we have patched servers for all the discovered security shortfalls, including popular ones like Heartbleed and GHOST.
Therefore, we are always at work to protect our Cloudways Platform and the servers hosted on it.