brute force Tag Archives

How to Counter Brute Force Attacks on WordPress

January 15, 2016 By John Leave a Comment

WordPress is one of the most popular Content Management System (CMS) available. Its popularity is the reason why it is highly targeted by attackers. A secure website is a must if you’re operating an online business so you can protect your business and your customers.

In this article, you will learn:

What is a brute force attack?
How to know if someone is brute forcing into your site
How to counter brute force attacks on WordPress
What to do when someone succeeds at brute forcing into your website

WordPress does not currently have any built-in feature to stop brute force attacks so you are responsible in preventing them on your own website.

What is a Brute Force Attack?

Brute force attack or brute forcing is one of the leading causes of website compromises and is similar to a trial and error method. The objective of the attacker is to gain access to the server level of your site by using various username and password combinations repeatedly until it succeeds. Not only that, it can also be utilized to find hidden pages and content in a web application.

Brute Force Attack is, simply put, an attack to the weakest link in a website’s security. Sucuri, a security company focusing on spotting and repairing compromised websites, reports at least 770,000 brute force attacks every hour. Your website is vulnerable to this type of hacking if you require user authentication or login access.

There are endless catastrophic possible events that could happen once an attacker gains access to your site. The access will be exploited and accounts can be locked out, malware or viruses can be injected, important financial transactions can be compromised or blocked, or data can be changed or stolen. All the hard work you have invested in your business could go down the drain in an instant and hurt your virtual presence.

Brute Force Attack Methods

Brute forcing can be done in different systematic ways. It can be done manually or with automated tools. This can be done in a matter of minutes or years depending on the complexity of your authentication data and process. In most cases, it is done by automated tools that use bots to crawl the web and look for weak preset conditions and weak targets. For WordPress, the common targets are the /wp-admin extensions, /wp-login.php and the XML-RPC.

Brute Force Attacks can be used positively if the goal is to test a website’s security but unfortunately, most of the time, it is used by hackers to crack encrypted data for their own advantage. There is a growing number and improving array of automated tools that can be used for brute force attacks. They are simple to use that even a teenager can use them. These tools determine the length of usernames or passwords and try different possible combinations to gain access. The following are commonly used methods:

Dictionary Attack

The common targets here are administrator accounts. In this method, the attacker will use a database or ‘dictionary’ containing millions of words that are commonly used as a login password. Each one will be tried for authentication. The attacker will succeed once the password is accepted as correct.

These attacks can lock out one account or more and gather more information from the site depending on the error responses. This is actually resource- and time- consuming but this can be done quickly with better computing power. It does not decrypt information. It only cycles through a list of words until it becomes successful.

Hybrid Brute Force Attack

This is similar to the dictionary attack but the attacker may use permutations of words from a password dictionary, your real or site user name, website and company name. It uses a smarter set of rules, such as adding numbers and doubling up some characters or words, to intelligently guess passwords. An attack can occur and succeed quicker if more information is available to the attacker.

Reverse Brute Force Attack

This is less common but your website is vulnerable to this if your site users use weak passwords. In this method, the attacker will try to use one password and try to match it against many user names.

How Do You Know if Someone is Brute Forcing into Your Site?

The tough reality is Brute Force attacks can be the same as DDoS (Distributed Denial of Service) or DoS (Denial of Service) attacks. You can differentiate them by the intent. DDoS/DoS is after disruption of service while Brute Forcing is after gaining access. DDoS/DoS however can be a byproduct of Brute Forcing as the access attempts can overload your servers. Some attacks are easy to detect but some are harder to detect because they use different open proxy servers.

Careful observation and monitoring is necessary to detect Brute Force Attacks. Be on the lookout for irregularities and malicious activities in your site. To help you out, these are the most common ones experienced by victims of brute forcing:

Numerous failed logins coming from the same IP address
Multiple usernames used to login from the same IP address
Continuous login for one username from various IP addresses
Logins with suspicious usernames and passwords
Overloaded server memory that results from excessive bandwidth consumption from a single use
Performance problems
Weird links
Notice from the webserver of attacks and an unusually large amount of data being used in a short period of time
Website redirects to a different page or website
Unwanted popups and ads are all over their site
Malware or virus
Spam emails or comments
Help desk flooded by complaints of locked out accounts.

How to Avoid Brute Force Attacks

A Brute Force Attack can be minimized, if not avoided, as long as you follow these steps.

Keep Everything Updated

WordPress themes and other plugins update their version to keep them safe from vulnerabilities and to fix bugs. Updating can be tedious but this will help protect your site from known exploits. Just make sure that you keep a backup before doing updates. Be on the lookout for updates in your WordPress Dashboard for the following:

WordPress Version
WordPress Theme
WordPress Plugins

Use Strong Passwords and Change Them Regularly

The best way to protect your site is to use strong passwords and avoid keeping the same password for a long time. If your site allows numerous login accounts, it is best to make sure that all your users follow these basic rules in making strong passwords:

Keep your passwords long. Use a minimum of 8 characters.
Keep it complex. Do not use dictionary words.
Keep it mixed. Use a combination of numbers, upper- and lower-case alphabets and non-alphanumeric characters.
Check if your password is a common password.

Avoid Common Usernames

sucuri-common-usernames-1 — “admin” is the most used username for Brute Force attacks. Image Source: https://blog.sucuri.net/2014/03/understanding-denial-of-service-and-brute-force-attacks-wordpress-joomla-drupal-vbulletin.html

This is very important especially for administrator accounts. Do not use the default username ‘admin’ or any similar usernames containing the same word. Doing so will significantly increase the likelihood of your site being attacked by malicious users.

Use Two-Way Authentication for Administrator Accounts

For extra security, you can activate two-way authentication in your Cpanel or use a plugin such as miniOrange’s Two-Factor Authentication (Google Authenticator). The con to this, however, is you would need to have your phone with you all the time and your log-in process would take more effort and time from you.

Set Administrator Logins to Certain IP Addresses

If you have the privilege of getting a static IP address, this is a great added security option. You can actually block all sign in attempts from all other IP addresses by editing your .htaccess file. However, this can be a problem if your network uses dynamic IP addresses that can change over time.

Design Your Site to Not Use Predictable and Data Exposing Behavior for Failed Login Attempts.

If you are tech savvy, this is one option that you can do by changing the error messages that your website shows. For example, an error message that shows ‘bad username or password’ will make the attacker try the next information in their list. Adding progressive delays every failed attempt can also help improve your website’s security. You can also prompt your users to answer a captcha or a secret question after failed attempts. Be wary of using captcha though as it can negatively affect your websites user experience.

Secure Your Site with Tools and Plugins

There are many available tools and plugins that you can use. Some are free and some come with a price. Here are some tools, plugins and features that you should consider to significantly improve your website’s security. They can help you counter brute force attacks on your WordPress site. Before adding a plugin, you need to check if it’s compatible with your theme, other plugins, and WordPress version first. Some of the tools mentioned below may overlap with other ones in the list.

Security Scanner

There are so many security scanner plugins available for WordPress and most of them also include various tools that improve your website’s security. Top plugins that you can check out are:

Login attempt limit, blocks, and delay

There are plugins that can limit the rate of login attempts and block IP addresses temporarily to protect your site from brute force attacks such as WP Limit Login Attempts. You can also be on the lookout by tracking IP, usernames, passwords and adding idle timeout in your login with Login Security Solution.

Hide Login Page and Data

Attackers would normally target your /wp-login.php or /wp-admin. To hide your login page, you can use WPS Hide Login plugin.

Strong Passwords

WordPress already generates a strong password for new users but if you are not a new user, you might want to create a very strong password by using a mix of upper case and lower case letters, numbers and symbols.

One way of creating a strong password that is easy to remember is to think of a sentence. For example: “The quick brown fox jumped over the lazy dog.” Take the first letter of every word and you will get “TQBFJOTLD”. Convert some letters to numbers or symbols and you can get “7Q3FJ0T1D” and then vary the remaining letters to upper case and lower case. Your strong password could be “7q3Fj0T1d”. Whenever you want to type your password, just recall the sentence that you used to generate your password.

Cloud/Proxy Services

You can use the aid of cloud or proxy services to help mitigate attacks all over the web as these block the IPs before they even reach your server. Cloudflare and Sucuri CloudProxy are notable services to check out.

What if Someone Already Got into My Site?

Don’t Do Anything Rash

The worst mistake you can do is to delete things without backing up data first or cause further problems by troubleshooting. If your site has been compromised, the best option is to seek professional help.

Keep Calm and Regain Control of Your Site

Take a step back and calm yourself down. You can still recover from this miserable event. Try to regain admin access of your site. If your password was changed, you can simply get access again by using the ‘forgot password’ option. If this has failed, get in touch with your hosting provider.

Change All Your Backend Passwords

This is an important step that you should do when you regain access to your hacked website. Make sure that you use a strong password so you can avoid further damage being done to your website.

Identify the Damage Done

Once you’ve gotten access to your site, scan your website with online malware scanners like Sucuri’s or with Google’s Safe Browsing. You can do the latter by typing this in your url: google.com/safebrowsing/diagnostic?site=yoursiteaddresshere.com

Check with Your Hosting Company

Some hosting services provide technical support for issues like this. Getting professional help is still recommended.

Restore from Backup

If you keep regular backups, you can restore your most recent backup just make sure the backup that you chose was from before your site was compromised.

Check and Change User Permissions

Checking user permissions, especially if there are many accounts that can access administrator settings, should be done to further prevent other users’ access while you’re cleaning up.

Close Hacker Backdoors

Secure your wp-config.php file and close all the backdoors that the hacker may have left. You will need professional help for this.

Change Your Passwords Again

Yes, again. The hacker may have gotten wind of your new password through a malware so change your password again when you are done cleaning up.

Have Your Site and IP Address Whitelisted

Once you have finished cleaning your site up, find out where you have been blacklisted. You may still be marked as spam by some online services like Unmask Parasites.

Summary

Your e-commerce website being compromised is one of the worst experiences an entrepreneur can go through. So planning ahead and hardening your websites security should never be taken lightly. The adage “An ounce of prevention is better than a pound of cure” rings true. If you did the hardening methods we have shown in this article, give yourself a pat on the back. If you are here because your website was compromised, get professional help as soon as possible.

11 Things You Can Do to Increase the Security of Your WooCommerce Store

March 11, 2018 By John Leave a Comment

Keeping your WooCommerce store secure is important. Hackers discover new exploits every day. In fact, more than thirty thousand websites get hacked on a daily basis. Don’t be a part of that statistic. Increase the security of your WooCommerce store before it’s too late.

At Wooassist, we’ve had our fair share of clients that have had their websites hacked. Cleaning up after a hack is a lot of trouble. You have to get rid of the exploit and weed out any remaining backdoors that would allow the hacker to regain access to the hacked site. Worse, a hacking incident can lead to a website being penalized by search engines for containing malware. In this post, we’ll share some tips that you can do right now to increase the security of your WooCommerce store. Following these tips will reduce the odds of your site getting hacked.

1. Check Your Login Information.

Often, hacks happen because of the user’s fault. Almost 90% of cyber-attacks are caused by human error or behavior.

The first step to increase your website’s security is to make sure that your login information is secure. First, don’t use “admin” as your username. Why? Because brute force attacks usually target this username. And if you use admin as your username and have a weak password, it is almost guaranteed that your site will fall victim to a brute force attack. But what if you are already using admin as your username? You’ll just need to create a new administrator account using a unique username and a strong password. WordPress will already recommend a strong password that you can use. After creating a new account, log in to the new account and you can then proceed to delete the “admin” account.

2. Keep your WordPress/WooCommerce Site Updated

Keeping your WooCommerce store updated will protect your site from the latest known vulnerabilities. Developers regularly patch exploits that are found in their systems so it is imperative that you update on a regular basis.

Before updating however, it is important to test your updates first on a development site or at least create a backup. Often, updates can break your site and this can harm your conversion rates if you don’t have a backup that you can revert to. Websites breaking due to site updates are common. Some hosting providers such as WPEngine provide their customers an easy-to-set-up staging environment. Here you can test your updates before applying them to your live site.

3. Use Two-Factor Authentication.

Using 2-factor authentication greatly increases the security of your website. Even when a brute force attack manages to get into your site, you can block the hack with two-factor authentication. Unless the hackers get a hold of your phone, you’re safe.

4. Install a Security Plugin

A WordPress/WooCommerce site without a security plugin is like a computer without anti-virus software. Wordfence and Sucuri Security are some good options. Just install the plugins and then activate. After activating, just go to the plugin’s settings and configure depending on your needs.

5. Limit Login Attempts.

Limiting login attempts will deter brute force attacks. A brute force attack will attempt to guess your username and password sending hundreds if not thousands of requests every minute. Limiting login attempts pretty much renders brute force attacks powerless unless you have a weak password. There are a couple plugins that can help you limit login attempts such as Login Lockdown.

6. Protect your wp-config File

The wp-config file is a crucial part of the WordPress ecosystem. It contains important configuration information of your WordPress site which is why many hackers try to target this file. There is however a workaround to block intruders from getting access to this file. Simply place this code in your .htaccess file.

7. Hide Login Error Messages

Whenever you enter the wrong login credentials on WordPress, it returns an error message saying your username is wrong, your password is wrong, or your password does not match the username. You may think little of this, but for hackers, this bit of information is priceless. You can prevent hackers from getting clues on your WordPress logins. You can hide these error messages by adding the script below to your functions.php file. Do note however that making a mistake when tinkering with your functions.php file can cause your entire site to go down. Unless, you’re a web developer or know your way around the file, it is recommended to have a developer do this for you.

function wrong_login(){

Return ‘Wrong username or password.’;

}

Add_filter(‘login_errors’, ‘wrong_login’);

8. Hide WordPress Version

For hackers, discovering that your WordPress version is outdated is like finding a gold mine. So it is imperative that you always update to the latest version of WordPress. Many hosting providers will automatically update your WordPress version. However, this is not always ideal since automatic updates can mess up your site. If you’d like to do your WordPress updates at your own pace, then you should hide your WordPress version. To hide your WordPress version, paste the following code on your functions.php file.

function remove_version(){

Return”;

}

Add_filter(‘the_generator’, ‘remove_version’);

9. Do a Plugin Audit

A plugin audit is a process of reviewing the plugins installed on your site. You’ll want to look out for plugins that are no longer being updated by the developer. Outdated plugins usually become backdoors for hackers. When analyzing your plugins, you can categorize them in a number of ways.

Plugins that you want to keep.
Plugins that you don’t use or your customer’s don’t use. If you have a plugin that adds a certain functionality to your site but your customers are not using it, you might as well get rid of it. This just adds extra bloat to your site.
Plugins that are no longer being updated by the plugin author. This is a major security threat and you should get rid of these immediately. If you still need the functionality that the plugin provides, just find an alternative plugin. Just make sure that the new plugin is being constantly updated.

You can do a plugin audit every few months to keep your site spiffy clean.

10. Install Only Reliable Plugins

You’ve done your plugin audit. Great! Now, don’t go down the same road. Don’t just install any plugin that you find. Look at the plugin rating. Check reviews. Check when the plugin was last updated. If the plugin fails any of those three elements, consider finding something else.

11. Prevent Directory Access

If you do not block directory access on your WordPress site, users may be able to freely view the files on your site. These files may contain sensitive information that hackers can use to exploit vulnerabilities on your site. Disabling directory access can be done with a minor tweak. Just place the following code in your .htaccess file:

# Prevent folder browsing

Options All –Indexes

If you’ve done all these things, your WooCommerce store will be protected from most known threats. Should you need help getting any of these done, you can contact the Wooassist team and we’ll be able to help you out.

Do you know of any other things that you can do to help keep your WooCommerce store more secure? Let us know in the comments.

Why Should You Keep WordPress Updated?

May 24, 2016 By John 1 Comment

WordPress is getting more popular as a platform for creating e-commerce stores. Because of this, WordPress sites have become attractive targets for hackers to try and break into. There are a few reasons why hackers do this but the main motive has always been for profit. In this article, we will discuss how hackers take advantage of a WordPress site with poor security. You’ll also learn what should be done before a site update and other means to keep your site safe.

How Does a Hacker Take Advantage of a Compromised WordPress Site?

A lot can be done to a hacked WordPress site. It is not just getting sensitive information. Actually, getting sensitive information like credit card numbers is just a “bonus”. It’s not really your website that the hackers want. What they want more is the power of your server resources: computing power, disk space, and anonymity on the internet. So how can they use your server to their advantage? Here are some ways:

Bitcoin Mining

Bitcoin mining is the process of adding transaction records to the Bitcoin’s public ledger. One offers processing power to the public Bitcoin community to validate transactions. He gets a portion of the money being transacted as processing fee. Bitcoin mining is intentionally resource and processing intensive so that the number of blocks found each day by miners remains steady. This is where the hackers can take advantage. They will use your server to mine for themselves, hence noticeably slowing down your site.

Distributed Denial of Service (DDoS)

This attack is an attempt to crash one’s server. It spams that server with thousands of traffic simultaneously, thus denying service for other users. This is commonly used for cheating in online gaming, online gambling, and in taking down a site. Since you can’t overwhelm a server with traffic using a single PC, the likely scenario is that the attacker will have thousands of hacked servers and personal computers to perform an attack. All they need is a single PHP script saved on each site which they can activate at will.

Anonymous Attacks and Spam

Hackers can also use your server to attack or spam anyone anonymously. Since they are using your servers to do these malicious things, these will point to your name and not theirs. They can be churning thousands of spam emails to other people at your expense. They can send viruses and malware through these emails to infect more PCs to aid their hacking.

Data Mining

Hackers can also just mine sensitive information like credit card numbers, passwords, emails and others.

Automated Hacking

Most attacks are automated and target small and unsecure sites. This works similar to how a search engine uses search engine crawlers to index information on the web. The hacker’s crawlers roam around the web to find exploitable sites. When a vulnerability is spotted, the hackers will attack that vulnerable point. Attacks vary from brute force attacks to code injection on contact forms.

Importance of Updating WordPress for Security

The people behind WordPress are working hard to increase security against these attacks. This is what most of the minor updates are for. As the attacks get smarter, the security needs to upgrade as well. Fundamentally, there is no such thing as a perfectly secure system. So whenever WordPress developers see or hear about a possible vulnerability, they will try to fix it as fast as possible.

This is why WordPress updates are very important. By keeping your WordPress core updated, you are protecting yourself from the latest known vulnerabilities.

Things to Do Before Updating

Most of the time, updating WordPress is harmless. However, some major updates that involve the core code may break some plugins or theme files which in turn can break some layout or functionality on your site. That’s why it is important to follow a process before pushing through with an update to avoid breaking your site.

Create a Backup

Creating a backup is the best thing that you can do before pushing through with an update. Backups are your last line of defense in case something goes wrong. If you think it is a hassle, you can actually automate backup creation. There are even hosts that automatically do this for you. However, it is best to have your own backup and not depend on your host to make your backups for you.

Testing on a Staging Site

A staging site is an independent copy of your site. Most hosting sites offer an easy way to make them but you can always create your own. Staging sites are used to ensure that everything works perfectly before you present your site to your customers. This is very important especially for e-commerce sites. You can lose your customers’ trust if you let them experience downtime and bugs.

Other Things to Help You Secure Your Site

Aside from the updates, there are a lot of things you can do to harden the security of your site. Here are some examples:

Installing a WP Security Plugin

Like creating a backup, installing a WP Security plugin is one of the best things that you can do. Sucuri Security plugin is highly recommended. Basically Sucuri will act as a firewall for your site. It will protect your website from hackers, malware, DDoS and blacklists. It will receive all the traffic going to your site and filter it before sending it to your host. This allows the plugin to block all the attacks and only send you legitimate traffic. Because the filtering/blocking is happening on the Sucuri servers, your servers are relieved of a lot of load. Sucuri has always been the top go-to plugin when it comes to security.

Password Protect Some Directories

Password protecting /wp-admin directory adds another layer of security to your site aside from the login page. This can be done either manually or using cPanel. This is addressed on sites that have a lot of users accessing the wp-admin; for example large news/blog sites that accept guest authors.

Disabling PHP Execution

Disabling PHP Execution from certain directories protects you from backdoor access file attacks. The attacks come disguised as a WordPress core PHP file and inserted in easy access directories like /wp-includes/ and /wp-content/uploads/. Preventing PHP execution from these directories reduces the risk of backdoor access.

Changing the Prefix of Your Database

The default prefix of a WordPress database is “wp_”. Everything on your database will start with this so changing it will make it difficult for attackers to access your database.

Conclusion

Now that you’re more familiar with how hackers work, you can better equip your site to avoid being a victim. Backup your site and do not skimp on WordPress updates, even the minor ones. Remember that these updates will help you safeguard your WordPress site from the latest known security threats. Updates are one thing but you should also harden your site by implementing the strategies mentioned above.

When was the last time you updated WordPress? Do you have any other security tips you’d like to share? Let us know in the comments.