What are brute force attacks?
Brute force attacks are login-type attacks that use a trial and error approach to guessing usernames and/or passwords. In a brute force attack, the attackers use automation tools to send as many requests as possible in as short of a timeframe as possible. Invariably, the aim behind brute force attacks is to gain access to the system that is being attacked.
Brute force attacks come in different forms – each of which employs a different kind of strategy to increase its chances of success.
How do brute force attacks work?
Brute force attacks can work in different ways, allowing attackers to adapt to the environment and any information or insight they might have. The main types of brute force attacks are;
Simple
In a brute force attack, the attackers use every combination possible without any discrimination. While this is the least efficient form of a brute force attack, it makes sure it leaves no stone unturned by trying every possible combination conceivable under the sun.
Dictionary
Dictionary attacks are a smarter form of brute force attacks. They use a dictionary of passwords, trying each available entry sequentially.
Rainbow tables
WordPress, like many other web applications like it, hashes passwords, making them unreadable to humans without a key. Rainbow table attacks use a table of pre-hashed passwords matched to plaintext passwords, saving time and computing power.
Reverse
In reverse brute force attacks, attackers start with a known password before trying to guess the username through a brute force attack.
Credential stuffing
In credential stuffing, attackers use known username and password combinations to try and get a match with an existing user.
Why are brute force attacks dangerous
Brute force attacks can take on many forms, allowing attackers to adapt to any information they have. As such, brute force attacks, although not the most efficient, can be quite effective.
Through a brute force attack, attackers can gain administrative access to WordPress and change whatever settings or steal whatever information they please. This can lead to loss of revenue, compliance issues, and even loss of your website.
How WordPress websites can suffer brute force attacks
WordPress websites use username and password combinations to identify users that have an account on the system. This alone makes them susceptible to brute force attacks. Attackers can brute force attack WordPress website online or offline. In online attacks, the attackers will access the login page and carry out the attack directly. In offline attacks, the attackers must first get hold of session cookies or a database dump. The latter is by and large more difficult to accomplish, since it requires a previous breach.
How to protect your WordPress from brute force attacks
Fortunately, there are several ways you can protect your WordPress website from brute force attacks.
WordPress itself already has some anti-brute force features, including the use of SALTS that help mitigate the risks of a rainbow table brute force attack. However, since attacks can come in different forms, additional precautions should be taken to ensure your website is protected all around.
Use a strong password policy
A strong password policy can ensure users utilize strong passwords, making them that much harder to guess through a brute force attacks. WordPress login and password policy plugins such as Melapress Login Security also allow you to lock accounts after a number of failed logins, limiting the number of tries a potential brute force attack has to guess a given password.
Use CAPTCHA
CAPTCHA is a test designed to tell humans and computers apart. With brute force attacks being largely automated, a CAPTCHA plugin will help you make sure the attack fails before making the first try, leaving your website secure.
Use 2FA
2FA, short for two-factor authentication, requires users trying to login to your WordPress to enter a one-time password delivered to their phone. This can help you ensure that even if a brute force attack manages to guess a username and password combination, without the user’s phone they will still be unable to log in.
