Brute Force Attack - What it is and How to Block It
Table of Contents
Some brute-force attacks utilize dictionaries of commonly used passwords, words, etc. in order to speed up the process of guessing users passwords.
How to Protect Yourself From Brute Force Attacks?
The first thing you need to do to protect yourself from such attacks is to choose an appropriate username and password. Try not to use common names for your username as admin, administrator, or superuser. Regarding your password, try using as complicated one as possible and include numbers, special characters, uppercase, and lowercase letters. There are free password generators that create long and strong passwords for you to use. If you have experienced issues remembering long passwords, you can use password vaults like 1Password for example.
If you detect that someone has launched a brute-force attack against your site (such attacks generate a huge amount of failed login attempts in your log), you can block the attacker’s IP address from accessing your site completely. To do that, add the following line to your .htaccess file:
deny from 123.123.123.123Replace 123.123.123.123 with the actual IP address of the attacker.
In addition, restrict the admin areas of your site only to your address. In case you use WordPress, that should be your wp-admin folder.
If you use Joomla! 3.x – protect the administrator directory. Actually, that’s a good practice and it’s good to do it even if there is no attack against your site. The actual .htaccess rules you need to place in those folders are:
deny from all
allow from 222.222.222.222Replace 222.222.222.222 with your IP address. To find out what is your IP, you can use one of the many sites providing that information like whatismyip.com for example.
More information on how to protect your WordPress websites can be found in our tutorial