The brute force attack is quite common in the web world. Indeed, if you have a website, you have certainly experienced connection attempts to your website or application. In this article, we explain how to better secure your website to avoid the brute force attack. We will focus on the WordPress application. If you had a third party software, it would be a pleasure to redo this article for your tool in a later article. Just leave us a message. In this article, we will talk about protecting WordPress login options. We will also see some measures you can apply to better strengthen the security of your website.
The different ways to connect to a WordPress website
It is important to know what approaches users use to connect to websites. Indeed, to access your website, you need a connection form or a link proposed by the application. Before asking the question of how to better protect your site against brute force attacks, let’s explore the connection options.
1- The connection via the default link wp-admin
Even a beginner using WordPress knows that to log into a website, he just needs to add wp-admin to the domain name. When you install a WordPress website, you can access it via the domain name / wp-admin link. Generally, this page allows you to log in, change your password or create an account.
2- Connection from a personalized form on your website
You can create a custom form on your website to allow your users to login. This will give users the opportunity to use the link you provide to access the website. Generally, this approach has several advantages:
- Users may not be aware that you are using any technology. Hence more changes in managing security.
- You can compensate for the limitations of the default connection link.
3 – Using the xmlrpc.php file of WordPress
With a little knowledge of web programming, it is possible to use the Xmlrpc.php file of WordPress to connect to a website. This is the preferred approach of cybercriminals simply because many site owners are unaware. The approach will be to make a POST request only (computer term). Many do it automatically from a PHP code.
4 – Connection using APIs
You can use an API connection to your website to access your website. It would also require a minimum of knowledge in web development.
There are obviously several other approaches. However, the ones we have listed above are the main ones. Below we will talk about what you can do to better protect your website.
4 steps to reduce the brute force attack
If you are receiving login attempt notifications; or if you have occasionally seen unwanted users registered on your website, you should first take the time to validate your configuration. Indeed, WordPress by default offers the possibility to protect a website. Validate, for example, that you have disabled the account creation option (if you do not allow account creation). You can make this adjustment in your admin panel. Look in the option Configuration ⇒ User account. In the event that you allow account creation, validate that the administrator email is working to be able to receive notifications when an account is created. This will allow you to better control who has access to your website.
Option 1 – Protect your website’s login forms with captchas
In the vast majority of cases, the people who will try to access your website are not physically present. They use scripts that make chain connection attempts. This makes it easy for them to achieve their goals.
With captchas, you can curb the possibility of using scripts to access your website. The captcha could, for example, use artificial intelligence to validate whether a user is real. Alternatively, there would be a question to validate to continue with the connection. We offer you this extension that we have developed. It uses Google version 2 and 3 which you can activate on the login form or account creation.
Option 2 – Change the name wp-admin to any name.
As mentioned above, many people know that you need to add wp-admin to the domain name to gain access to the connection. To protect your website, you can change wp-admin to any name. To achieve this, you can use a WordPress extension. It is also possible to modify manually if you have knowledge of web programming. Via this link, you will find a set of linksthat WordPress provides.
Option 3 – Completely block access to the wp-admin link and enable it only at your ip address
In the event that you are the only administrator of the WordPress site, you can disable the wp-admin link. With the .htaccess file available in the main WordPress site directory, you can control access to your links. Below is an example of the code you can use:
<Files wp-login.php> order deny,allow Deny from all # allow access from my IP address allow from 184.108.40.206 # allow access from my IP address allow from 220.127.116.11 </Files>
In the above code 18.104.22.168 is supposed to be your IP address. You can add as many addresses as you need. It is important to note that this approach is only valid if you have a static IP address. In case you have a constantly changing address, it is difficult to make changes all the time.
Option 4 – completely block access to the WordPress xmlrpc.php file or use an extension to restrict
As we said above, the xmlrpc.php file is also a gateway to your website. You can completely restrict access to this file (if you don’t use it via extensions). Alternatively, you can restrict access mainly to applications that use it on your website. Below is an example of a code you can use to block access
<Files xmlrpc.php> order deny,allow Deny from all # allow access from my IP address allow from 22.214.171.124 # allow access from my IP address allow from 126.96.36.199 </Files>
Option 5 – Use two-level authentication
Many platforms opt for two-tier authentication as a means to combat brute force attacks. This would simply ask the user to provide two login options. To this end, each time the user attempts to connect, he or she will have to present a validation code to access the website. This is especially effective since even if a cybercriminal manages to get your password, he should have access to your phone or email.
Conclusion and final reflection
Cybercrime, including brute force attacks, is an issue that could target anyone in a company. Indeed, one can protect oneself from known approaches. However, cybercriminals are constantly looking for loopholes they can exploit. As an individual or a company, you need to apply a set of processes to be as safe as possible from possible attacks. If you need assistance in evaluating and proposing solutions to improve the security of your website, contact us.