WordPress Support

What is a Brute Force Attack?

Posted on by mjrj9

Unlike hacks that emphasis on weaknesses in programming, a Beast Power Assault targets being the least difficult sort of technique to access a site: it attempts usernames and passwords, again and again, until it gets in. Frequently considered ‘inelegant’, they can be extremely effective when individuals use passwords like ‘123456’ and usernames like ‘admin. WordPress Support

They are, so, an assault on the most vulnerable connection in any site’s security… you.

Due to the idea of these assaults, you may discover your worker’s memory goes through the rooftop, messing execution up. This is on the grounds that the quantity of http demands (that is the occasions somebody visits your site) is high to such an extent that workers run out of memory.

This kind of assault isn’t endemic to WordPress, it occurs with each webapp out there, yet WordPress is mainstream and along these lines a successive target.

Protect Yourself 

A common attack point on WordPress is to hammer the wp-login.php file over and over until they get in or the server dies. You can do some things to protect yourself.

Don’t use the ‘admin’ username 

The majority of attacks assume people are using the username ‘admin’ due to the fact that early versions of WordPress defaulted to this. If you are still using this username, make a new account, transfer all the posts to that account, and change ‘admin’ to a subscriber (or delete it entirely).

You can also use the plugin Change Username to change your username.

Good Passwords 

The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.

WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.

You can use the Force Strong Password plugin to force users to set strong passwords.

Things to avoid when choosing a password:

  • Any permutation of your own real name, username, company name, or name of your website.
  • A word from a dictionary, in any language.
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.

To further increase the strength of your password, you can enable Two Step Authentication to further protect your blog.

Plugins 

There are many plugins available to limit the number of login attempts made on your site. Alternatively, there are also many plugins you can use to block people from accessing wp-admin altogether.

Protect Your Server 

If you decide to lock down wp-login.php or wp-admin, you may find you get a 404 or 401 error when accessing those pages. To avoid that, you will need to add the following to your .htaccess file.

ErrorDocument 401 default

You can have the 401 point to 401.html, but the point is to aim it at not WordPress.

For Nginx you can use the error_page directive but must supply an absolute url.

error_page  401  http://example.com/forbidden.html;

On IIS web servers you can use the httpErrors element in your web.config, set errorMode="custom":

<httpErrors errorMode="Custom">
 <error statusCode="401"
 subStatusCode="2"
 prefixLanguageFilePath=""
 path="401.htm"
 responseMode="File" />
</httpErrors>

Password Protect wp-login.php 

Password protecting your wp-login.php file (and wp-admin folder) can add an extra layer to your server. Because password protecting wp-admin can break any plugin that uses ajax on the front end, it’s usually sufficient to just protect wp-login.php.

To do this, you will need to create a .htpasswd file. Many hosts have tools to do this for you, but if you have to do it manually, you can use this htpasswd generator. Much like your .htaccess file (which is a file that is only an extension), .htpasswd will also have no prefix.

You can either put this file outside of your public web folder (i.e. not in /public_html/ or /domain.com/, depending on your host), or you can put it in the same folder, but you’ll want to do some extra security work in your .htaccess file if you do.

Speaking of which, once you’ve uploaded the .htpasswd file, you need to tell .htaccess where it’s at. Assuming you’ve put .htpasswd in your user’s home directory and your htpasswd username is mysecretuser, then you put this in your .htaccess:

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
</Files>
# Protect wp-login.php
<Files wp-login.php>
  AuthUserFile ~/.htpasswd
  AuthName "Private access"
  AuthType Basic
require user mysecretuser
</Files>

The actual location of AuthUserFile depends on your server, and the ‘require user’ will change based on what username you pick.

If you are using Nginx you can password protect your wp-login.php file using the HttpAuthBasicModule. This block should be inside your server block.

location /wp-login.php {
    auth_basic "Administrator Login";
    auth_basic_user_file .htpasswd;
}

The filename path is relative to directory of nginx configuration file nginx.conf

The file should be in the following format:

  user:pass
  user2:pass2
  user3:pass3

Unfortunately there is no easy way of configuring a password protected wp-login.php on Windows Server IIS. If you use a .htaccess processor like Helicon Ape, you can use the .htaccess example mentioned above. Otherwise you’d have to ask your hosting provider to set up Basic Authentication.

All passwords must be encoded by function crypt(3). You can use an online htpasswd generator to encrypt your password.

mjrj9

Leave a Reply

Your email address will not be published. Required fields are marked *