You may not know it but your website is more than likely suffering from brute force attacks every day.
Sneaky little bots are clambering to find out your login details by trying multiple usernames and passwords.
And they won’t stop so you need to arm yourself as best you can.
Thankfully there are resources you can use to prevent those bots from getting through.
Here are three I use as part of my arsenal of weaponry against them.
I recently noticed a drop in the number of bots trying to find my login details.
It was only after I heard about SiteGround’s new anti-bot AI that I realised why.
They launched their new bot prevention system at the beginning of May.
It collects and analyses data across all their servers simultaneously and then automatically puts measures in place to stop unwanted bots.
The AI monitors several indicators to detect malicious behaviour patterns, block bad traffic and prevent brute force attacks.
- Failed login attempts in the majority of popular web applications – WordPress, Drupal, Joomla, Magento, etc.
- Number of simultaneous connections to different URLs
- Different request types and known DDoS vulnerabilities in applications
- Dynamic list of bad user agents that’s constantly updated
Challenge Captcha Page
As soon as SiteGround identify an IP address or user agent as malicious, they block and challenge them with a Captcha page.
The anti-bot AI is learning continuously, including how to minimise false positives.
Should a human visitor ever reach the Captcha page and solve it, the anti-bot AI whitelists them.
Some of the more sophisticated Cloudflare security options aren’t available with the free account. One option that is though is Security Level.
Cloudflare uses the IP reputation of a visitor to decide whether to present a challenge page to them.
Each visitor is given a reputation score out of 100 calculated using an internal algorithm.
You can choose various security levels and they determine when the IP firewall will kick in.
As well as that you can also specify the length of time before a visitor is shown the challenge page again.
Another way to prevent brute force attacks is to use Cloudflare’s rate limiting feature.
It allows you to identify visitors who may have malicious intentions and to limit their access to your site.
Rate limiting can come in handy if you’re under a DDOS attack and your Security Level settings haven’t stopped it.
You can also use it to protect login forms from brute force password-guessing attacks.
The rate limiting feature is available on all of Cloudflare’s plans and is billed based on usage.
Wordfence can also provide assistance in blocking brute force attacks.
The WordPress plugin prevents them by:
- locking out users after too many login attempts;
- locking out users who submitted the “forgot password” too many times;
- optionally locking out anyone using an invalid username; and,
- preventing WordPress from providing hackers with username information.
You can also take advantage of two factor authentication with Wordfence Premium.
Fitting This Altogether
Cloudflare is the first line of defence and the initial challenge any malicious visitor comes up again.
That’s because any traffic passes through the Cloudflare network first.
After that SiteGround’s anti-bot AI kicks in and is the next line of defence.
Anybody who gets through Cloudflare’s network will then be checked by SiteGround.
As a result, if the anti-bot sees anything it doesn’t like, that visitor will see SiteGround’s captcha page.
The final line of defence is Wordfence and it’s ability to lock out users who demonstrate suspicious activity.
Hopefully that’s enough to put a dent in any brute force attacks that may come your way.
How Do You Deal With Brute Force Attacks?
What’s your strategy when it comes to your website’s security?
Do you use any of the resources I’ve mentioned? What do you think of them?
Please let me know in the comments section below.