1. Brute-Force Login
In general, the term brute-force may apply to a lot of different principles. In mathematics, brute-force is a technique used to solve problems numerically, by accumulating all the possible outcomes of a condition (such as where to move in a game of Chess or which destination to visit next in a ‘traveling salesman’ example).
These methods are often very effective in problems which have finite, calculable outcomes. This is often utilized in machine learning applications such as AlphaGo. It’s so effective at playing “Go” because it can literally calculate ALMOST all of the possible moves and simply pick the one with the best outcome over the average (since it doesn’t know what the human will do).
In cryptography, a brute-force attack is a method used to gain access to a resource (ex: website dashboard) by guessing the password. There are a variety of methods used to deploy brute-force attacks, some of the more popular ones include dictionary attacks or rainbow table attacks.
Brute-force attacks are so common to WordPress, it’s even addressed in the codex.
Having a basic understanding of how these attacks are implemented can help you easily understand the methods used to thwart these attacks. For example, in a basic dictionary attack, there are only a few steps to successfully complete the attack.
- A computer program finds access to a login screen for some application such as your WordPress website.
- Most sign-in screens ask for 2 pieces of verifying information:
- A username
- A password
- The program has a list of possible usernames and passwords and attempts to login using every possible combination until it eventually succeeds.
How are the possible usernames and passwords chosen?
The data required to optimize the chance of a successful login attempt is easily available to pretty much anyone, although that doesn’t mean the probabilities are high, it depends on how well the application’s defense guards against these attacks. Fortunately, the brute-force attack is probably one of the easiest hacking attempts to defend against, but it is often the most overlooked which is why we address this first!
A quick Google search will reveal countless data sources displaying lists of over-used usernames and passwords. It should go without saying that anything on this list should be avoided, including similar variants. For example, “admin” is number 10 on this list, so we probably shouldn’t use “admins” even though it is not on the list. Many brute-force algorithms are programmed to test variants of commonly used phrases. The same logic applies to passwords, simply making your password complex enough will yield a theoretical limit to brute-force attempts, making it nearly impossible to crack without a quantum computer…
How to Defend Against Brute-Force
Make Your Password Long, Unique, Complex, and Unguessable
The math is simple. The more digits you have in your password and the more possible characters you have available, the harder your password will be to guess. Of course, sometimes this isn’t enough simply because no matter how hard your password is, there is still a non-zero chance of it being guessed. Your password should follow these rules:
- 10 characters or more
- Use at least one of each of the following types of characters
- A number
- A lowercase letter
- An uppercase letter
- A special character (such as *,%, or #)
Make Your Username Difficult to Guess Too
You don’t necessarily need a long, elaborate username, but at least don’t make it obvious. Using different usernames for various applications or sites is useful too, especially if these applications are part of the same network since if that username is compromised it can now be used on all the applications in that network. In this case, one good technique for choosing usernames may be to have a common word or phrase (such as your name, or company name) with an added prefix or suffix that would make it unique. For example, if I need a username for our company’s ‘support chat’ software, then instead of using the same username for all my other applications, I might choose to use a username that reflects this formula:
{first-name initial}{Company-name (with capital letter)}{_}{2nd letter of app domain}
This means that my username (for this app) would be dStrunk_t
It’s not terribly complicated and is easily constructed and usually unique. If it yields a username that was already used for a different application, that’s perfectly fine. This obscurity method of hiding usernames is probably already overkill for most administrators. But none of this matters if your username is easily found anyway, which is often the case for WordPress users…and that brings us to hiding your username in WordPress.
Keep All Full-Access Admin Usernames Hidden
Many hackers can easily deduce usernames by browsing around the website and searching for different files. Sometimes a person’s username is not needed and a user’s ID can be used instead. In WordPress, each new user is assigned a unique ID (starting at 1). Usually, the primary administrator ends up defaulting to ID=1 and so that is the user that most hackers will attempt to exploit. If user ID=1 does not exist, then hackers will move on to the next number, 2.
One method for obscuring full-admin usernames is to NOT have your lowest ID level a full-access admin account. Once your WP instance is installed, create a new user with lower privileges, such as editor or author. Then create your full-access admin account as the 3rd user. Once that is created, delete the original user and attribute all content to the latest admin account.
Make sure you keep your display name different from your username otherwise hackers will see it right away!
Obscure Your Login Page URL
Does your login page URL look something like this:
example.com/wp-login or example.com/admin
…or something similar?
Change it!
This little change can thwart a lot of automated hacking attempts by not letting it be easy for bots to even find your login page. There are various plugins that can do this for you. You could technically change it in WP core but that’s not usually recommended. There is also another option to create your own personal plugin that does this, but that’s a subject for another day.
IP Bans & Lockouts
The practice of blocking IP addresses from accessing your website is becoming more common for it’s ease, practicality, and effectiveness. There are endless combinations of triggers you can use to initiate a ban or lockout, but some of the more common practices include the following:
- Ban IP addresses that attempt login with a banned username such as “admin”.
- Lockout IP addresses that register a certain number of 404 hits within a certain time frame.
Regarding 404 lockouts, this method plays well with the technique of obscuring the login URL. For example, whenever the /wp-login page is requested, we can deliver a 404 or even some other page instead. If that request occurs, say 5 times within 5 minutes for example, then we could temporarily block that IP (20 minutes sound good?) from accessing any page on our site. Perhaps we could go a step further and say that if it happens again with the same IP, then permanently block that IP.
You can also limit access to your login page to specific IP addresses such as your home computer or work network. That can be a little more difficult if you’re not using a static IP, but you can narrow the list of possible addresses to country or state-wide IPs too.
Fringe Benefits
There is an added benefit to deploying these methods, and that is reducing server load. All these requests and hacking attempts bear a burden on the server, which is a resource we all pay for to some extent. Even if the additional requests don’t translate to extra costs (by going over CPU limits for example), it still can bog down the site and make everything run just a little slower or worse, completely fail. This is often seen in a dDos attacks.
Multi-Factor Authentication
Stop relying on passwords! The most effective way to completely obsolesce the brute-force method is to enable multi-factor authentication (usually referred to as 2-factor authentication).
There are a bunch of different MFA techniques available. Some of the more common types include sending random pass-codes to your private email address or phone as a text message or notification. This usually requires the use of 3rd party apps such as Google Authenticator.
Sometimes bio-metric data can be used but there are caveats with this. First, they are not always reliable and they can be tricked using various methods. It’s still a good supplemental method of security for applications that aren’t particularly vulnerable or high-risk. But it’s not recommended to solely use biometrics, although as an additional authentication technique, biometrics is often sufficient.
See Part 2 – SQL Injections
TLDR
- Make your passwords long, unique, and complex
- Keep your usernames & login pages hidden and secret
- Use multi-factor authentication
- Utilize IP blocking and banning
- Monitor server logs and site usage