What is a Brute-Force Attack?

I’m sure you’ve heard the phrase ‘brute-force’ at some point in time. Whether used to describe an army invading a castle or a raging river, it simply speaks to the sheer volume and power of the force. In recent years, the phrase “brute force” has taken on a new meaning. Today, a brute-force attack is one of the most common and cornering security threats to any website or secured login. Thankfully, there are a couple of great options for preventing our sites, especially WordPress sites, from falling victim to a brute-force attack.

A brute-force attack is a trial and error type of method used to guess useful information, such as username and password. Just like a river slowly and gently flowing downstream isn’t too big of a concern, a person sitting and guessing usernames and passwords isn’t that big of a concern (though still not appreciated). The concern with the river and our logins, is simply in the sheer brute force. To accomplish this, spammers and hackers will use a software-based algorithm to automatically generate a large number of guesses for the desired piece of information. Some sources that these guesses can be as numerous as up to 350 billion per second. As you can probably guess, 350 guesses per second can be a problem – and 350 billion per second can be catastrophic. The obvious concern is that the attacker could gain access into your site and wreak havoc. The problem with that many hits on a page (attempts to login) is that it will eventually cause your website to crash and simply be down. While that can stop the attacker, it also means legitimate users can’t access your site. Thankfully, there are several easy-to-implement security protocols in WordPress as well as basic practices that can help eliminate the risk for brute-force attack.

First things first – I gotta say this, and I know you’ve heard it before: PASSWORD for your password is a HORRIBLE idea! 1234 is a horrible idea! When you’re setting up your password in WordPress, one of its great security features is that WordPress will let you know how secure it feels your password is. Simply keep adding to your password until it comes up as Very Strong. To do this, you’ll most likely be using a combination of lower and uppercase letters, numbers, and special characters (!, @, #,$, etc.). For example, as I’m writing this, I’m listening to Quiet Riot. A musically influenced strong password would be something like Qu!t3#Ri0t#coftnoize – (Quiet Riot, Come On Feel the Noize). I added in uppercase, lowercase, numbers, and characters.

Okay, so now that we got the obvious one out of the way…. You can also install a plugin such as WordFence and customize its installation to protect your site further. With WordFence, you can take additional steps such as blocking a username. I never set up the username ‘admin’ – that’s far too obvious. With WordFence, if anyone tried to use that username, they’d be automatically blocked from being able to login for however long you specify. You can also set it up so that if they do try a legitimate username but miss the password a certain number of times (10 or 20 ideally, if you use strong passwords), it will again lock them out.

With WordFence, you can also run a scan on your site to see if there are any effected or infected files on your site that need to be cleared up. If there are any suspicious files, the program will let you know which ones are causing concern and which specific folders they’re in so you (or your web developer) can check them out and remove them if necessary. While this won’t stop a brute-force attack from hitting or entering your site, this scan can help prevent the amount of damage that can be caused by an attack.

Thankfully, there are several simple and easy-to-implement tools and plugins to help prevent brute-force attacks. Unfortunately, cyber threats such as a brute-force attack are one of the most common and concerning security threats that we face with websites, and the problems (the hackers/spammers/evil-doers) won’t be going away anytime soon. Just like when an invading army would storm a castle or the water in a river rages, we can be proactive and ready to counter these attacks when they come.