Secure Your WordPress Site Against Brute Force Attacks
On the go? Have Polly read to you.
WordPress Password Security
There are currently over 1 billion websites on the world wide web. Of these websites, many are built on content management systems, or CMS’. In fact, almost half of the websites online are powered by four key content management systems: WordPress, Joomla, Drupal, and Magneto. WordPress is the most popular CMS; it boasts 27% of the web’s sites.
Content Management Systems are flawed. What you get in leveraged time and easier maintenance you often loose in out-of-the-box speed and security. The 4 CMS’ listed above use PHP and mySQL as their database system. This means they’re built in a way that makes them more susceptible to certain cyber attacks.
This post is written for the website manager who wants to both understand and protect their site against password attacks.
Wordfence is a security company that offers both free and paid services. Google’s Recaptcha plugin prohibits automated login attempts by adding a qualifying question to our login page that must be submitted with the login attempt.
Option 1: Download from WP’s plugin library
From the WordPress dashboard:
Plugins > Add New
Search for and download the plugins above
Option 2: Download the zip files
From the WordPress dashboard:
Plugins > Add New
Click “Upload Plugin”
Upload the zip file
Repeat for Wordfence and Google’s Recaptcha,
A password attack occurs when an attacker tells his computer to guess username and password combinations until it finds the correct set. He can either feed his computer millions of passwords to try out- a “dictionary attack”- or have the program to execute all possible username/password combinations available- a “brute force attack”.
Both of these password attacks function the same way. The hacker takes usernames and passwords (or just the password if he has the username) and iterates through combinations until the correct one is found. The only difference is the dictionary attack tries the username/password combinations the hacker gives it, whereas the brute force executes each every possible password option available.
The Anatomy of a Brute Force Attack
When a password is created, it is converted into a hash and stored into a database. When a subsequent login attempt is made, the submitted password is also converted into a hash and checked against the correct password hash in the database.
The speed an attacker will find your password during a brute force depends on 3 different things:
Password length (The number of characters the password consists of)
Character set (The number of letters/numbers/symbols that can fill each slot)
The speed of the computer processing the attack aka how many hashes the subject device can check per second
A machine with 8 cores and 2.75 GHz can check a hash every .00017 milliseconds. Thats every 1.7 ten-thousandths of a millisecond (0.00017 * 10^-6). This is to say a computer with this capacity, hashing with the SHA215 algorithm, can check 585,335 hashes (passwords) every second.
That’s a lot of computations in a short span of time, and at first hear it sounds proficient. But how many password options will the attacker’s computer have to check?
The Importance of Password Complexity
The number of possible passwords a computer will have to check is equal to the number of possible characters in each slot raised to the power of the password’s length.
Let’s assume an attacker wanted to crack a pin code. The character set would consist of 10 options- 1234567890. Depending on the bank, most pin codes vary between 4-9 digits. For a 9 digit pin code (password length) using this 10 digit character set, there are 10^9 (1,000,000,000) possible passwords. Thus, it will take our example machine (1.7*10^-6 * 10^9) seconds, or 14.17 minutes, to break this password on average.
If a password consisted of lowercase letters and had a maximum length of 8 characters, there would be 26^8 possible passwords.
With uppercase letters, lowercase letters, and numbers, we have 62 character options (26 uppercase letters + 26 lowercase + 10 numbers). Symbol sets vary in length but the most common set includes 18 symbols; when added to the letters and numbers we now have 80 possible characters.
WordPress’ passwords can be up to 20 characters long. If someone used all 20 characters, there would be 80^20 possible options. Being a bit more realistic, lets say you scrambled a 9 character password in a password generator, like “$ZcGUv]8.” It would take (1.7*10^-6 * 80^8) seconds, or 45.2 years, for the the example computer to crack the password.
So…make long and complicated passwords. You can see it (literally) becomes exponentially more difficult to brute force a password as each additional character is added.
Dictionary attacks involve feeding the program a “dictionary,” or text file of passwords to check. Below are examples of dictionary attacks being executed in Kali Linux using WPscan and Hydra, two popular network security tools.
The term CAPTCHA stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. It was coined in 2000 by Luis von Ahn and John Langford of Carnegie Mellon University. CAPTCHA is sounded out like a normal word (Kahp-Chah), not spelled out despite the fact that it’s an acronym.
You’ve seen them before, they’re responsible for a good amount of your frustration online:
Does the “sign” include the post or is it just the sign portion? Like 1/5 of the sign extends into the center box does that count? How many more of these damn things are there?
I hate them too. But they do serve a purpose, and I bet you can guess what that is.
Think about it practically. A brute forcing program rapidly executes millions of possible login attempts. A captcha requires a user to solve a question requiring nuanced identification tests with random test questions at each login request.
From the WordPress dashboard, hover your mouse over the Wordfence security menu item located in the left hand column.
This will display the Wordfence menu. Select the firewall option, which will display the following tabs: Web Application Firewall, Brute Force Protection, and Rate Limiting.
Select the Brute Force Protection Tab and the Rate Limiting tab and configure your settings to the following:
Google’s Recaptcha is the hardest captcha to circumvent programatically. As of this writing, it hasn’t been reliably beaten. With the captcha alone you’re securing your website from password attacks. But if you don’t want to go through the strain of doing it at each login, or you want the extra security, the settings above throttle the attacker off after a number of failed login attempts and prohibit them from trying again.