If you own a website, a brute force attack is the stuff of nightmares. Even the name sounds terrifying.
To make matters worse, misinformation can make attacks seem almost inevitable. You might start to feel like once a hacker has you in his sights, you may as well blow up your website yourself to save him the trouble.
That, of course, isn’t true.
Brute force attacks are dangerous, but there are steps you can take to secure your website.
Table of Contents
What is a brute force attack?
A brute force attack is a hacking method wherein a hacker guesses possible combinations of usernames and passwords until the correct combination is discovered.
It’s the simplest and least subtle of all hacking methods. This method operates on the principle that if you try to guess a password enough times, you’re bound to be right eventually.
You might be wondering where hackers find the time to sit around just guessing passwords. The truth is that they don’t.
Hackers have developed software that simply makes guesses for them, by trying random combinations until one works. Hackers don’t have the time to guess passwords for hours on end. But the software has nothing but time.
Why are brute force attacks so terrible?
As you might imagine, most brute force attacks are designed to gain access to sensitive information. This can be your most closely guarded company secrets, or your customers’ credit card information.
Even if, by some miracle, a hacker doesn’t gain access to anything too sensitive, the attack itself can cause website availability issues because of the sheer load on the server’s resources.
Now that you know what brute force attacks are, here’s how you prevent them.
Ten ways to prevent a brute force attack:
-
Get secure web hosting
Your web hosting company will be your first line of defence against opportunistic hackers.
You can rarely go wrong if you choose one of the more secure hosting methods, such as dedicated hosting and VPS hosting. But even if you choose shared hosting (the most affordable hosting option), you can rest easy as long as you’ve chosen a responsible web host with well-maintained servers.
-
Use strong passwords
After your web host, your password is your best hope against hackers, and it should be treated as such. The weaker your password, the easier it is to guess, and the more susceptible your website will be to brute force attacks.
A strong password is long (at least 8 characters, but feel free to go up to even 16); it’s random, or at least seemingly random; and it contains a solid mix of uppercase and lowercase letters, as well as numbers and special characters. A long, complex password is one of the best ways to slow down the hacking process.
- Use complex admin usernames
A website that requires a username and password is on its way to being secure. But it’s not enough for you to require just any old username.
You need strong usernames.
Most website owners usually fall down when they’re coming up with usernames for admins. Everybody else, they’ll give unique, complex usernames that would take hundreds of thousands of hours to guess. But their admins are called … “Admin”.
This simply will not do.
You see, most brute force attack software works a bit like this:
STEP ONE: Try a common username. (For example, “Admin”.)
STEP TWO: Guess passwords until one works.
When you choose a username that’s that obvious, you speed up the hacking process. So, do your website a favour and put some effort into your username-creation process – especially for your admins.
-
Install an SSL certificate
An SSL certificate encrypts communication between browsers and web servers. This makes them a useful tool in the fight against hackers. The more information a hacker has about the inner workings of your company and your website, the easier you are to hack. So, throw in a bit of difficulty by installing an SSL certificate.
-
Limit login attempts
This makes sense, right? Brute force attacks work by having lots of login attempts one after the other, so if you want to make an attack less effective, you lock out users who’ve entered the wrong account information too many times.
For example, if a website records four failed login attempts, it will block that IP address for a certain amount of time.
Word of warning: Implementing a complete account lockout could make your server more susceptible to Denial-Of-Service attacks. Also, you’ll put your admins in the annoying position of having to continually unlock accounts. But if you add a progressive delay that locks out users for, let’s say, fifteen minutes after a number of unsuccessful login attempts, you minimise the discomfort of legitimate users while also protecting your website from hackers.
-
Create unique login URLs
Creating unique login URLs for different user groups won’t completely stop a brute force attack, but adding that extra step will make things more challenging for hackers looking for easy prey.
-
Use Two Factor Authentication
Two Factor Authentication means that before granting access, your website will require two pieces of evidence that the person entering the login information is, in fact, authorised to do so.
A website that uses Two Factor Authentication won’t grant you access only when you enter your username and password. You’ll need to do something else. For example, you may also need to enter a login code that’s been sent to your phone.
This staves off brute force attacks, because even if a hacker manages to get hold of your username and password, it’s unlikely that the hacker will also have access to your smartphone or your email address.
-
Use Captcha
Captchas prevent bots from running the kinds of automated scripts that are commonly found in a brute force attack. It’s for good reason that you’ve been seeing Captchas on just about every website you visit. Captchas are great at incapacitating hacking bots.
-
Restrict IP addresses
If it’s at all possible for you to allow access only from a certain number of predetermined IP addresses, hackers will need to work a lot harder to get into your system.
When you do this, not only will you be able to prevent access to the login page from unauthorised IP addresses, but you’ll also be able to block IP addresses that are known to be a threat.
Again, this isn’t possible for all websites, so think carefully before you use it. But if it’s feasible for your website, it’s definitely an effective way to prevent an attack.
-
Back up your website
Backing up your website is your last line of defence. It’s not exactly a way to prevent hacking, but it helps you make sure that if the worst does happen and you find yourself the victim of a malicious attack on your website, you don’t completely lose your website.
Wrapping up
Brute force attacks are terrifying and can feel inevitable when you’re a new website owner. But you can generally prevent brute force attacks, because hackers prefer easy prey.
If you take these steps to protect your website, an opportunistic hacker will likely move on to an easier target.