How to Protect Your Website From Brute Force Attacks

Brute Force Attacks are the simplest method hackers use to gain access to a website. These Internet “bullies” try different usernames and passwords repeatedly–even using specially made “bots” that generate random sequences of characters, until they get in. Their easiest targets? Those who use simple passwords like ‘123456’ and usernames like “admin”.

brute_force_attackDue to the nature of these attacks, you may find the number of http requests (the number of times someone visits your site) is so high your host server’s memory goes through the roof, causing your website to slow down. In some cases, like a website we had to rescue and restore recently, your website may disappear altogether.

A strong password protects not only your website, but the entire server on which it is hosted. A hacker who gains access to your website can and in all likelihood, will, install malicious scripts that can compromise the entire server, and every other website hosted on it.

How to Protect Yourself

A common attack point for hackers on CMS (Content Management System) websites, such as those built in WordPress, Joomla or Drupal, is to hammer away at the CMS login file repeatedly until they get in, or the host server literally dies.

Here are some things you can do (and NOT do) to protect yourself:

Don’t Use “admin” for a Username

“Admin” was, at one time, the default username for WordPress. If you are using this username, or any user name that is simple, make yourself a new account, transfer all your posts to that new account, and delete the old “Admin” account.

Do Use Strong Passwords

The goal of any password is to make it hard for others to guess it and, in the case of your CMS website, for a Brute Force Attack to succeed. WordPress has a password strength meter that tells you if a password’s strength is adequate. If it “tells” you that a new password you are making is weak or medium, change it to something stronger. There are a number of automatic password generators, such as Strong Password Generator, you can use to create secure passwords.

Don’t Use Usernames That Are:

  • Your own name, company name, website name or any variation of these.
  • A word from a dictionary, in any language.
  • A short password.
  • Numbers or letters only.

What Else Can You Do?

Make sure all your plugins and installed themes are up-to-date. Or, if you have a Joomla or Drupal sites, make sure its modules and components are up-to-date. Also make sure you are running the most current versions of WordPress, Joomla or Drupal. And keep both the website files and database backed up, in the event you ever have to restore it!

If you have a WordPress website, there are plugins that can be added to it that would limit the number of login attempts made, or block people from accessing the dashboard (AKA backend), entirely. One plugin we have been testing that does both, is WordFence. After testing it on a few websites, including our own, the Brute Force Attacks have all but disappeared. On one website we had to restore recently because of a Brute Force Attack on the host server, we installed the pro ($39/year) version of WordFence, which also allows for country blocking. Within two days of the plugin installation and configuration, the Brute Force Attacks on the website went from 10 or more per day, to zero.

If you are concerned that your website or server may be compromised by one of these Internet bullies, or if you just want to “bully-proof” yourself against a Brute Force Attack, contact us today and let’s talk.


About smellycat


Leave a Reply

10 + 6 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.