Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Brute Force Attacks On Websites

            Modified on Tue, 22 Feb 2022 at 02:30 PM

            Brute Force Attacks

            What is a brute force attack?

            Brute forcing is when an attacker submits lots of password attempts in quick succession with the aim of guessing a password correctly and gaining access. This can be either random words or using “dictionaries” that contain passwords that are commonly used.

            It’s very common, and not typically a very effective type of attack, but the sheer number of these requests can sometimes contribute to load issues.

            Types of brute forcing

            It’s possible for brute forces to occur over any protocol that allows a login and is open over the internet, for example, WordPress sites, any other sites with an admin page, SSH, cPanel/Plesk, and FTP.

            WordPress

            WordPress is a common target of these attacks due to it’s popularity. On WordPress, there are two files that are typically targeted for brute forcing:

            • wp-login.php - The default WordPress login page

            • xmlrpc.php - A protocol used historically with WordPress to enable communication between WordPress and other systems. It’s enabled by default, but has largely been superseded by REST API, so in most cases it can be disabled without harm.

            WordPress have a great guide on how to mitigate these attacks specifically for this platform.

            How to spot a brute force attack

            A brute force attack will leave behind lots of log entries of failed attempts. For example, with xmlrpc.php as mentioned above, in the web server access logs you’ll see a large number of requests such as the below:

            X.X.X.X - - [25/Jul/2021:01:48:21 +0100] "POST //xmlrpc.php HTTP/1.1" 200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36"

            Alternatively, in the server authorisation logs (/var/log/secure or /var/log/auth.log), you may see lots of entries such as:

            Jul 28 18:48:22 78 sshd[19900]: Failed password for root from X.X.X.X port 47894 ssh2

            Both of the above indicate that login attempts are being made, so if there are high quantities it’s likely this is brute forcing.

            Protecting against attacks

            You can block the IP addresses sending these requests, but this isn’t an effective solution in the long-term as the requests are usually automated and will originate from various different IPs.

            We recommend:

            • Using strong and unique passwords for accounts

            • Security plugin such as Wordfence

            • For server-level services such as SSH and FTP, we’d recommend locking down the ports in your firewall so that only you can access them. This removes the attack vector entirely as they can no longer attempt to login.

            • For WordPress or site-level attacks, we’d recommend locking down wp-login to select IPs, and disabling xmlrpc.php:

            Apache:

            <Files xmlrpc.php>
  Order Allow,Deny
  Deny from all
</Files>

            NGINX:

            location ~* ^/xmlrpc.php$ {
  return 403;
}

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0