What are Brute Force Attacks and Why YOU Don't Have to Worry About Them

Exactly what is a “brute force” attack on a website? Just the name “brute force” conjures up a bad guy in a cheesy action movie. For most websites, a brute force attack can be very serious.

What is a brute force attack?

A brute force attack is exactly what the name sounds like. There is no deep logic involved in guessing logins or passwords, it’s just a bot that starts with a login of “A” and a password of “A” and works from there. It will patiently try every combination of letters and numbers there is until it finds a login and password that works. When brute force attacks started, that was all there was to it. Over the years, they have gotten more sophisticated, but at the core, it’s just a bot.

These days, you have bot networks that do this. The problem was that brute force attacks from a single computer were real easy to detect and block. So now a network of hundreds or thousands of computers work together to attack your site and guess a login or password.

Also, these days we have “dictionary tables” which are just lists of passwords that have already been used or words that can be combined together to make a password. A bot network can try thousands of times per second to guess a login and password. Your site is only as secure as the weakest password on it.

In addition to dictionary tables, attackers have gotten even smarter. As a site is hacked and all of the user info is pulled down, the logins and passwords for that site are added to the ones to try. They know that a lot of people don’t bother to create different logins and passwords most of the time so a login on one site is probably good on another.

How do you mitigate a brute force attack?

Well, there are 2 answers to this question.

If your website is not hosting with SiteGround

If you are not hosted with SiteGround then you need to start researching security plugins and configuring firewalls. We’ve talked about some of this before in previous blog posts. You will need to:

Install an application firewall and properly configure it.
There are several good plugins in the WordPress plugin repository that will secure your site against brute force attacks and other types of attacks. The top 3-5 are well respected and while I won’t recommend one here, you can probably find one that comes highly recommended and get it implemented. All of the good ones have a monthly fee associated with them but that’s what it takes to protect your site.

Require strong passwords for all users
We’ve talked about passwords before but it bears repeating. Strong passwords are your first line of defense. Your users might not like it but it will keep your site and their data secure.

Require Two-Factor Authentication (2FA) for all logins
2FA mitigates brute force attacks 100% because the login and password are only 2/3 of the login procedure. For the final 1/3, you have to have the person’s phone. That’s a game-ender for brute force attacks.

As with strong passwords though, users usually hate 2FA. You can limit 2FA to admin accounts but if an attacker gets into your site, you are compromised. So you have to decide which is more important and that’s a bad choice to have to make.

Implement a password rotation policy that forces new passwords at least every 90 days
Another one that users hate but is effective in helping prevent brute force attacks is requiring users to reset their passwords. This is another thing that users hate and if you do enough things in the name of security that users hate, you start to lose users. So it’s a tightrope you have to walk.

Bonus tip: Fail2Ban
In addition to all of those, my personal favorite tool is Fail2ban and WP-fail2Ban. Properly configured (and it takes a developer or network admin to properly configure) this combination can be a very powerful tool to prevent a brute force attack. It’s not easy to configure but it is very powerful. Fail2ban is open source and free, the plugin WP Fail2Ban has a pro version that seems to be worth the money.

I don’t usually recommend specific plugins but this one is unique. I have the free version installed on all my blogs that are not hosted on SiteGround and it works wonderfully. I am strongly considering upgrading to the pro version.

WARNING: This plugin requires Fail2ban to be properly installed, configured, and working on your server. Fail2ban itself has a couple of requirements as well. This is not a trivial plugin to get working. If you are not a developer or very familiar with Linux, get help.

If your website is hosted with SiteGround

If your site is hosted with SiteGround, go back to sipping your coffee. SiteGround has a full suite of tools already implemented including AI to detect brute force attacks from bot networks. This doesn’t mean your site is 100% absolutely secure, nobody can get to 100% safe. It does however mean that this is one less thing you have to worry about.

Wrapup

Brute force attacks are well known and well understood. There are tools that you can install that will mitigate the risks of them compromising your site. That having been said, your best bet is a hosting partner like SiteGround that deals with it for you to that you can spend your time making your site more awesome.