Skip to main content

Protecting your website against Brute Force Attacks

Using the intermediate and advanced features in AIOS

Some of the intermediate and advanced features can break your site if they conflict with another plugin or theme on your site. Some of these advanced features may not work correctly on your site if your hosting provider’s configuration doesn’t support it also.

So a good strategy is to get started by enabling just some of the basic security features in the plugin in WordPress. Then use the security plugin for a few weeks to see how you go. Once you feel more comfortable with the plugin, you can start to think about using the intermediate or advanced features.

It is very important to backup your WordPress site before you activate an intermediate or advanced feature.

If you have activated a feature and something went wrong, deactivate the plugin and then reset your htaccess file to get your site back to a sane state. Using a WordPress backup plugin is a great way to protect your website if something goes wrong and you need to restore it.

How to implement CAPTCHA on your WordPress login page

WordPress is vulnerable to Brute Force attacks. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that they know the username. This can be done manually or with a script.

A would-be hacker, in most cases, simply needs to know the login URL, username and password in order to gain access to a given web site’s admin or Control Panel. While making a guess at all three things accurately might seem impossible, really the majority of time, 2 of them are presented on a silver platter.

A default installation of WordPress uses /wp-login.php as the login page. That’s one down. Next, most users will leave the default username of “admin” when setting up WordPress. That’s two down. Now a hacker just needs to guess the password.

During a Brute Force attack a system is in place to test various combinations of letters and sometimes numbers to “guess” at the password until successful. There are many very simple things that can be done to circumvent this practice.

‘Login CAPTCHA’ is just one feature that our WordPress security plugin utilizes as a “Brute Force” prevention technique.

Essentially what it does is presents a mathematical question that the user must answer before gaining access to the WordPress Dashboard. The CAPTCHA must be answered correctly along with the proper username and password in order to gain access.

Therefore, even if the login URL is known, the “admin” username is used, and a dictionary-based (i.e. weak) password is in effect, the odds of a successful Brute Force attack by a non-human diminish significantly.

Steps for Adding CAPTCHA to the WordPress Login Page

  1. Install and activate the All-In-One WP Security & Firewall plugin.
  2. In the WP Security menu choose Brute Force.
  3. From the tabs across the top, choose Login Captcha.
  4. Put a checkmark next to where it says Enable Captcha On Login Page.
  5. Click the Save Settings button.

Now logout and log back in to test this security feature.

A Brute Force Login Attack is one way in which a hacker tries to gain entry. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that they know the username. This can be done manually or with a script.

A Firewall feature that involves user accounts, that is considered “Intermediate” and adds another 20 points to the Security Strength Meter, is the ‘Cookie-Based Brute Force Login Prevention’ feature.

While repeated failed attempts at guessing a WordPress username and password combination could get an IP Address locked out, it also takes up valuable server resources. Especially when there are repeated attempts concurrently (from malicious automated robots), this has a negative impact on the server’s memory and performance.

Basically what it does is hide the default WordPress login page from the public. If they cannot access the login page, they cannot login.

The way it works essentially is: you specify a “secret word” to the plugin, which creates a special URL. The special (secret) URL, when visited, deposits a cookie on the computer which, when present, allows that individual to visit the WordPress login page as usual. Without knowledge of the special URL (i.e. having the cookie), the user will be redirected to a different IP Address or URL that you configure. This could be to any site on the web but the default is http://127.0.0.1 which represents the local machine of the web site visitor.

Don’t worry, if there are password protected posts or pages on the site, there is a provision in place that prevents visitors needing access to that content from needing to know the special URL. Turning this on however, could provide a new backdoor to the login page for those that know the location of these pages (most often it won’t be hackers though). Only turn on this feature when necessary, none the less.

Below are the quick steps for implementing the cookie based brute force login attack prevention feature for WordPress.

  1. Firstly, install the WordPress security plugin, AIOS
  2. Go to WP Security >> Firewall >> Brute Force Prevention once the plugin in installed and activated.
  3. Scroll to the bottom of the page to do a quick cookie test to make certain that this feature will in fact work for you on the machine that you are using. Click the Perform Cookie Test button.
  4. Next, put a check-mark in the box to Enable Brute Force Attack Prevention.
  5. Create a Secret Word which will be used for the secret URL, which in turn creates the cookie that authorizes access to WordPress login URL when visited.
  6. You are probably done at this point and you can save your changes. Optionally modify the Re-direct URL if you want to be clever. And if your site does in fact have password protected posts or pages, check the option for My Site Has Posts Or Pages Which Are Password Protected.

What if Something Goes Wrong When I Use this Feature?

For AIOS version 5.1.6 or greater edit your wp-config file and add:

define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);

Before the line:

/* That’s all, stop editing! Happy publishing. */

For older versions (5.1.5 or less) navigate to wp-content\uploads\aios\firewall-rules\settings.php in your WordPress installation and modify the following line:

aios_enable_brute_force_attack_prevention:"1"

Remove the digit 1, leaving empty quotes like so:

aios_enable_brute_force_attack_prevention:""

Once disabled, log back into your WordPress site and change the setting that you identified above that is causing you to be locked out.