Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed ‘inelegant’, they can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’
They are, in short, an attack on the weakest link in any website’s security… you.Due to the nature of these attacks, you may find your server’s memory goes through the roof, causing performance problems. This is because the number of HTTP requests (that is the number of times someone visits your site) is so high that servers run out of memory.
Once an attacker starts brute-forcing your login page with different tools your server starts experience load responding to all the queries made by the attacker.
If the attacker starts hitting your site with more load than the server can handle you may experience a server breakdown (DOS- Denial of Service).This may affect your customer’s experience hence leaving your customer unhappy.
More importantly, if the hacker manages to break through the password of the Admin account he now has access to the entire site and can bring it down or even inject different malware inside the servers affecting your customers.
For this attack, we will be using a local instance of our WordPress site, and later through the document, we will show you how to prevent them from using a few simple steps.
NOTE - The hackers can access your Usernames by exploiting the WordPress REST API injection without logging into the account.
The password list -
Since the login page did not have a limit on a number of requests a user can attempt before being redirected to resetting his password the hacker could execute a list of passwords and here we see on the 41st attempt he was able to crack the password for the website.
We can see in the output that
To protect your website from these simple flaws which can lead to a huge loss in the site. You can easily set up a Login and Spam limit on your website using our WordPress Security Pro plugin and setting the limit to the Login option so that the hacker cannot run such scripts to brute force your website because “ The plugin automatically blocks the attacker IP after a set amount of Login Trials “.
Search for our plugin using miniorange firewall in the plugins section under your WordPress dashboard.
Install the plugin WordPress Security-Firewall and activate it.
Go to the WP Security Pro dashboard and go under than Login and spam protection section. Here you should find the Brute Force Protection section and you can set the limit on the Login attempts and if it is crossed you can also set the Time Period for which IP should be blocked.
Time Periods can be
After completing these two steps you are all set and ready to SAVE your settings and defend against those HACKERS.
After the plugin is set up the hackers can no more try to brute force your website.
To test it you can log out of your account and enter the wrong credentials and should be prompted with an Error message showing the number of Login attempts left (Can be turned off as per user choice) from the plugin.
Now you are safe from attackers in just a simple two-step process using our plugin. Hopefully, this was a helpful guide for you.