Brute force attacks refer to a trial and error method used to discover username and password combinations in order to hack into a website. The brute force attack method exploits the simplest form of gaining access to a site: by trying to guess usernames and passwords, over and over again, until they’re successful.
How Brute Force Attacks Work
The brute force attack process is often referred to as exhaustive search. An attacker will systematically check unlimited passwords until the correct one is found.
Software has been developed to aid an attacker in this process. Success depends on the computing power and number of combinations attempted.
Depending on your server settings, an attacker can go through 1000 different password variations in a minute.
Ways to Prevent Brute Force Attacks
As a user on a website, you are more dependent on the security measures that have been taken by the website owner. One thing you can control is the strength of the password you create.
- Make a habit of using a different password for every site you use.
- Use a combination of lower and uppercase letters, symbols and numbers.
- Change your passwords often. Change it immediately if a company, you have a registered online account with, informs you they were hacked or compromised.
- Although it is convenient, avoid “Log in with Facebook” or other social media platforms.
- Limit the number of login attempts.
- Use a captcha for logins.
- Offer a two-factor authentication login option.
Are Your Passwords Providing Good Security?
Using strong passwords for all your logins is one of the best online security practices you can develop.
The best practice to follow is creating a different password for every sing website you are registered on. Definitely don’t use the password you use for your bank account on another site.
An average of 30,000 sites are hacked every day.
This should give you an idea of how many people are affected by cyber attacks, and motivate you to use stronger passwords.
Top 7 Passwords of 2016
If you have one of these passwords, you are welcoming brute force attacks. You should change your password ASAP.
Why Passwords Matter
Let’s say you have an account on some website and you’re not too worried if someone gains access to your password because this particular account doesn’t have any useful information.
Imagine that “useless” site get’s hacked and now the attacker has your password to that account.
Even though that specific site may be useless to a hacker, your password isn’t.
Let’s say you use that same password on an online shopping site, the hacker now has your password to your account, which has your payment information. Now you have a big problem you have to deal with.
This is why it is important to have different passwords for each website you are registered on.
If you are thinking keeping up with 20 different passwords is ridiculous and you would rather just take your chances, you should check out a secure password management tool like LastPass.
Using a WordPress Security Plugin to Protect Your Website
WordPress website owners should be concerned about brute force attacks. Why?
- Early versions of WordPress defaulted to the username ‘admin’ and many people either forget or neglect to change it.
- WordPress does not automatically limit the number of failed login attempts, which can be a big vulnerability for brute force attacks.
Fortunately, there are WordPress security plugins to help with these security issues.The iThemes Security plugin offers WordPress brute force protection in addition to multiple other WordPress security features.
- To enable brute force protection, open ‘Settings’ in the iThemes Security menu in your WordPress dashboard.
2. In Settings, you will find a list of all the different features the plugin offers. Open ‘Local Brute Force Protection.’
Local brute force protection looks only at attempts to access your site. Users are banned per the lockout rules specified locally on your WordPress site.
Here you are able to customize the security details for brute force attacks.
By default, there is a max login attempt of 5 per host and 10 per user. Feel free to increase or decrease these numbers, this is just what we suggest.
You can also increase or decrease the amount of time someone will be locked out of the site after the maximum login attempts.
The ‘Automatically ban ‘admin’ user’ checkbox is not selected by default. I suggest going ahead and doing so after you change your username to something other than ‘admin.’
Doing so will immediately ban a host that attempts to login using the “admin” username.
3. Once you have finished up Local Brute Force Protection settings, save them and move on to Network Brute Force Protection.
Network brute force protection takes it a step further by banning users who have tried to break into other sites from also breaking into yours.
In the most updated version of iThemes Security, an API key is automatically applied for you.
I suggest you also make sure the box to automatically ban IPs that are recognized to be problematic, is checked.
When you save your setting here, an email will be sent to you confirming your API key. You don’t need to do anything else with this, but you can keep the email for your records.
For more tips on WordPress security, check out the free ebook WordPress Security, a Pocket Guide.
Protect Yourself From Brute Force Attacks
Brute force attacks exploit the simplest method of gaining access to a site. You can prevent this with the information provided. Taking time to secure your site is important, and creating strong passwords to reduce the risk of brute force attacks will allow you to rest easy.
Life does happen and you may fall victim to a cyber attack. Do what you can now to protect yourself online.