A website is the face of a company, a brand or a person. Therefore it’s security can often result in frayed nerves. You always have to be on the top of your game in order to avoid any untoward security risk that may cause severe damage first to the website and then to the brand. In this post I am going to talk about a question asked by most clients and that is.
“How to avoid repetitive password guessing attempts on the login page of a website?”
This activity of repetitive password guessing attempts in pure technical terms is nothing but a Brute Force Attack. In this attack, the attacker continuously tries a list of different passwords. Success of this attack largely depends on how long and strong your username and password is! Generally they start with guessing dictionary words. So, lesson number one would be,to NEVER set a word that is available in the dictionary as your website’s password.
So now that you have set out on the mission to avoid brute force attacks on your website the following 4 are basic points and a must on your checklist while accomplishing the mission!
- Set a Strong Password
- Lock out failing IP Addresses
- Change Login Link
- Add a Captcha on Login Form
Set a Strong Password
- The first thing that we should do to avoid this attack is that we should enforce site users to keep strong passwords. To do this, you can install the plugin Force Strong Passwords along with WP Password Generator.
- The Force Strong Passwords plugin will throw an error if users do not set strong passwords. WordPress’s Password Strength meter is based on Javascript. So if user disables the JS in his browser, then he won’t be able to see how strong is the password. Force Strong Password will process for the strength on server side and will throw error if password is not strong.
- WP Password Generator on the other hand will help users by generating strong passwords for them.
- Further if your site has a username called ‘admin’, then the username should be changed. As many of you may know that WordPress does not allow to change username by default. In order to fulfil this requirement, you can use the Admin Renamer Extended plugin You can also follow the steps provided here to rename the username manually.
- Additionally, passwords should expire after a certain predefined number of dates to achieve a higher level of security. This can be done using WordPress Password Expiry Plugin by WisdmLabs. This plugin allows you to set password expiry period for specific website users.
Lockout Failing IP Addresses
- The next thing to do would be to lock down IP’s with multiple failed login attempts. This slows down the brute-force attack to a good extent but if proxies are being used by attacker, then this may not help much. Still we would recommend, you should install a plugin Limit Login Attempts which gives you multiple options to configure lockouts.
Change Login Link
- This is my personal favorite method of reducing brute force attack on the website and I sure as hell know that it works. In order to execute a Brute Force attack on your website, an attacker first has to locate admin page. All WordPress sites have default link to login as ‘/wp-admin’ or ‘wp-login.php’. This makes it easy for attackers to target the page. Changing this link to something else will make their task more difficult and this is precisely what we should aim to do!
- With the help of Rename wp-login.php plugin, you can change the login url/link to something else. But make sure that your new url does not contain words like ‘dashboard’, ‘backend’, ‘admin’, ‘site-admin’, ‘site-login’, ‘login’ etc.
- If your site has only a handful of users, then changing login link periodically will help. Make sure you bookmark the new login link though!
Add a Captcha on Login Form
Captcha is a great way of preventing automated attacks. As it has been rightly said,
“When you combine the chance of an attacker sending a correct username and password guess with the chance of guessing the CAPTCHA correctly, even a simple CAPTCHA could prove effective.”
Thats why we have our article of how to include captcha on login form. You will be able to display captcha on login form and validate it on form submission on following the steps in the given artcle. If coding is not your forte then you can go for the Captcha plugin and add captcha on your forms.
So, that was about the some basic steps to avoid brute force attacks on your website. On the same note you might also be interested in my articles on disallowing and blocking crawlers, spiders and bots from your website.
Thats it for now! If you have any suggestions or questions, leave it below in the comments section 🙂
[freepik]