A brute force attack is a popular password cracking hack. Brute force attacks accounted for five percent of confirmed security breaches.
Making a brute force attack is easy, with little advanced programming knowledge. Attackers hack millions of sites every year. And according to a report, the number of brute force attacks has increased by 400% since 2018.
Running a business online comes with the challenge of security problems. As your site grows and businesses prosper, attacks start to increase. You must always invest in quality web hosting as a good web host that can help you defend your site.
In this post, we will explain what Brute Force Attack is, and why your site is exposed to such attacks, and how you can protect your site against them.
What is a brute force attack? (Explanation)
A brute attack force attack is the hacking method where hackers try to access the site by guessing the right password combination.
To login to a server or site, one needs an admin username and password. What hackers do is try to guess the correct combination.
Now let’s say a password is two characters long – and both of them are numbers – then the password could be from 00 to 99. There is no other possibility except the 100 combinations. So a hacker will use each combination until he finds the right one.
So 10 characters will fill in two boxes = 10 power 2 = 100 combinations.
If we add the alphabets too, then there will be 36 characters for two boxes = 36 power 2 = 1296 possible outcome.
Count uppercase and lowercase both = (26+26)+10 character for two boxes = 62 power 2 = 3844 possible outcome.
This is for only two box passwords. If we increase the password’s length, say 5, then it will go like this—62 power 5.
Usually, the length of the password is 8-character. The possible combination would be 62 power 8. It equals 218340105584896 combinations.
Even at the speed of checking 1 million combinations a second (not humanly possible), the cracking of a password will take up to 218340105.585 seconds, Which means, nearly seven years.
So how do hackers achieve success?
First of all, they use codes to automate the task of checking the password. A simple line of the script runs the attack.
Second, a basic computer can’t do such high-speed work. Most hackers use GPU servers, or they use software to pool the resources of multiple machines into one.
It is about checking various character combinations as fast as possible. And as the length of the character increases, the time it takes to crack the password increases exponentially.
Types of Brute Force Attacks
Simple Brute Force Attack
A simple generic brute force attack that checks possible combinations. This is used to crack the password of local files, as there is no limit to the number of attempts. You can make thousands of attempts, and it does not need supercomputers.
In a dictionary attack, a list of possible passwords is used instead of random characters.
Instead of using many character combinations and possible passwords, hackers try to make a password list based on assumptions and historical password data. They start a brute force attack with that list and then keep on extending.
There are lots of dictionaries available on the Internet for such purposes. This way, hackers do not try to hack with randomness but make a list for better hacking attacks.
Hybrid Brute Force Attack
A hybrid Brute force attack combines a brute dictionary attack and a simple brute force attack. It starts with the dictionary attack and then uses the simple brute force to find the combination.
Instead of checking every combination, it begins with a list. The code starts experimenting with the variations of given combination, changing character location, uppercase-lowercase to find the right password.
Reverse brute force attack
In reverse brute force attack, the hackers already know the password. So they search for the matching username. They find the password through network breaches.
Instead of making combinations for passwords, they use the list of millions of usernames to do the hack.
Lots of the users use the same username and password for various sites. Even in the organization, password reuse is a common practice.
Hackers collect the username-password via network breach or data breach and run them to other websites to find if any of them work anywhere else.
How to Detect Brute Force Attacks?
Be it brute force attack, or DDoS attack, your hosting company will know it. Web Hosting companies monitor the sites for any unusual activities, and if they find something fishy, they block the IP address or shut down the site to protect the other project on the network.
Another indicator of a brute force attack is an unsuccessful login attempt. There will be lots of unsuccessful login attempts if you check the log files. If you are using any monitoring service, you will get the notification. You will get the OTP if you have enabled 2-Factor Authentication.
Also, when such an attack happens, hackers might try a DDoS attack. Or spam, malware, phishing attacks – all of them are signs that someone is trying to enter your site.
Then there is mail by companies itself. When Facebook or Gmail see unusual login to an account, they send the mail to the user. So keep checking your mail if you think your accounts are at risk.
How Can I Prevent It?
Let’s see how you can protect your site from Brute Force Attack.
- Password Length
- Password Complexity
- Limit Login Attempts
- Modifying .htaccess file
- Using Captcha
- Two Factor Authentication
- Use WAF
- Change login URL
#1 Password Length
The most crucial factor is the password length. As I explained earlier in the article, the password’s length directly increases the difficulty of cracking the password.
So keep the length of the password at least to 8 characters.
#2 Password Complexity
The second most important aspect is also related to the password. Increase the complexity of character by using various types of characters. Don’t use only numbers and alphabets..
Use special character, numbers, uppercase letters, and lowercase letters to make the password strong. A strong password is the easiest way to secure your site from any hacking attack.
#3 Limit Login Attempts
Do not allow the unlimited number of login attempts. Keep it limitless, maximum 5 or less. The brute force attack works by checking the various combinations of passwords. If, after a few failed login attempts, your site blocks the attack’s IP, it will become difficult for the hacker to keep the attack continue.
However, he can try using multiple IP addresses simultaneously, but again, Limiting Login Attempts improves the security of the site.
#4 Allow selective IPs
The most optimum way is to disable the login attempts from all the other IP addresses except the one you use. This way, one can access the account only from your IP address.
To do this, add the following code to the .htaccess file of your site:
<Files /wp-login> order deny,allow allow from IP1 allow from IP2 deny from all </Files>
Add the IP1 and IP2, those IP that you want to allow.
#5 Using Captcha
Captcha is another method that can secure a site from an advanced brute force attack. Hackers use bots to execute hacking attacks, and captcha stops bots. Installing captcha on WordPress is quick and easy.
A simple captcha can give a hard time to dictionaries and other bot attacks. There are many WordPress plugins that you can use to enable captcha.
#6 Two Factor Authentication
Beside captcha, two-factor authentication is another excellent method to deflect bot attacks. Two-factor authentication works as an additional layer of security.
Even if the brute force attack is successful, and hackers find out your username and password, they may not enter the account without authenticating their identity.
You can use your mobile number, extra pin, email address, or questions to validate that you want to access the site.
#7 Use WAF
Like Cloudflare and Sucuri, WAF works as a middleman between the traffic coming to your site and your site. All the site goes through a firewall, and only the secure visitors visit the site.
You can get free WAF (Cloudflare) or paid ones (Sucuri). There are many open-source WAF you can use.
#8 Change the Login URL
One of the requirements of doing brute force attacks is to know the exact login URL. Most of the site owners keep the login URL the same as it comes with installation.
- Usual Login URL: example.com/login.php or example.com/wp-admin
- Changed Login URL: example.com/WhateverYouLike
Read this article to make the WordPress login page secure.
Brute Force Attacks are very popular, and there are ways you can prevent your site from the threat.
In this post, I mentioned the easy method that can reduce the possibility of the success of any brute attack. If you know more ways, leave them in the comment.