Introduction to Brute Force Attacks
Today we published a new Learning Center article focused on brute force password-guessing attacks.
This introductory article is perfect for any site owner who wants to understand more about how attackers operate and what is motivating them.
What is a Brute Force Attack
Fundamentally, a brute force attack is exactly what it sounds like, a means of breaking in to the back end of a website with relentless successive attempts.
For example, with a brute force attack on WordPress websites, a hacker attempting to compromise your website will attempt to break in to your site admin area by trial and error, using thousands of possible username/password combinations.
This is usually accomplished with automated software specifically designed to generate and then try countless combinations one after the other, over and over, with the aim of finding a needle-in-a-haystack combination that will let them into your WordPress admin area.
From there, they can wreak havoc on your site to their hearts desire.
How Do Hackers Use Brute Force Attacks Against Websites
Brute force attacks are difficult, if not impossible, to carry out manually.
Instead, hackers write simple scripts, called bots, that carry out thousands of these break in attempts against websites on auto-pilot.
Typically, these bots are custom written by the attackers or found on the internet, and designed to be easily distributed across many hacked machines.
These groups of bots, or botnets, work in conjunction with other commonly accessible tools that either generate thousands of passwords or use a wordlist.
The latter is often referred to as a dictionary attack, because of their reliance on dictionaries or long lists of words to try as a list of passwords and/or usernames on your website.
These lists can be reused by many hackers over and over.
Writing this type of code is very simple entry-level programming, so its quite accessible to virtually anyone who may want to try their hand at malicious code writing.
The tasks the bot must carry out are very basic from a programming perspective, they must set up some parameters (e.g. access your site login form), perform a request (try a username/password combination) and check the response (whether it worked to sign in to your WordPress admin) and then set up to repeat until its successful.
Brute force attacks on your site can continue indefinitely, until the bot either discovers a username/password combination that will let the attacker into the back end of your website, or the bot runs out of passwords to check.
What Do Hackers Get Out of It
Once attackers have gained access to your website, they can use its files and the web host server to cause a wide variety of damage through malicious behavior, including but not limited to
Defacement, your site can display unwanted and sometimes malicious content, your own content may be deleted, and your website can be taken down altogether
Malware distribution, your site pages may infect your visitors with malware, ransomware and viruses
Spamvertising, your website may display spam content and/or links to spam websites
Redirection, accessing your domain name may cause your visitors to be redirected to malicious websites, or to pages that contain affiliate links and make money for the hackers
Stealing system resources, by using your web server’s resources, attackers are carrying out tasks such as email campaigns and content delivery on your dime
Fun, it may be hard for some people to imagine, but some attackers, particularly younger ones, are simply bored and find the act of hacking into strangers’ websites entertaining, particularly in the case of brute force attacks, which are relatively simple to learn and carry out.
How Do I Best Protect My Site
The first and best line of defense against brute force attacks is to have a very strong username and password combination.
Dont use admin or an easily guessable admin username such as the URL of your website or webmaster.
Delete any admin level accounts you dont need. These remove accounts that could be compromised.
Because many brute force attacks work with a preset list of dictionary words as a password list, the crucial and primary goal is to have a password that isnt easily guessable.
Use a password generator to create long, strong and random passwords for your WordPress admin accounts, and then rotate those passwords regularly, for example, every 60-90 days.
Enabling two-factor authentication on all your admin accounts is an excellent way to prevent brute force attacks because even if an attacker guesses your password, they dont possess your mobile device, so they cant sign in.
It is worth noting though that if you have XMLRPC enabled, attackers can it to bypass your 2 factor authentication because the WordPress platform does not provide a way to support 2 factor via XMLRPC at present.
Wordfence protects your site against brute force attacks by
Strictly limiting the number of login attempts an attacker can make via the standard login page and XMLRPC and any other authentication method.
Blocking well known brute force attackers by using a continually updated IP blacklist if you are using Wordfence Premium.
Providing 2 factor authentication for your standard login page.
Providing advanced manual blocking tools for site admins who are under attack.
With these measures in place, your website will be well protected against brute force attacks and it will be virtually impossible for an attacker to compromise any of your accounts through this kind of attack.