How to Defend Your Site Against a Brute Force Attack

Brute Force AttackBy now many of you have heard about the brute force attack being used to create a giant botnet from Hell.  Most news stories are focusing on WordPress sites, but any PHP-based web publishing platform is susceptible,  including Joomla and Drupal.

Highlights of What You Need to Know:

  • This is not a WordPress specific attack
  • A strong password and username are your first line of defense.  Do not use “admin” as your username. Ensure all usernames and passwords are alphanumeric and complex enough and can’t easily be guessed (upper and lower case, numbers, symbols, no word found in a dictionary at least 10 characters).  I recommend using a random password generator.
  • Do not share your username and password with anyone.
  • When accessing your accounts over a public network or computer be PARANOID.  In these settings, do not access accounts with sensitive information like your website admin, bank accounts, credit cards, etc. unless you are using a strong password management tool with two-way encryption.  Even then, I don’t login to sensitive accounts on public network unless necessary.
  • Use a password management program.  Gone are the days when you can combine your pet’s name and date of birth for ALL your login accounts.  You aren’t still doing that are you?  Many people have dozens if not hundreds of online accounts these days.  You should not use the same password across sites.  If one site is compromised it can open the doors to all the others. I recommend LastPass, but there are other programs available like 1Password.  Do your research and choose a program with a good reputation.
  • Change your passwords regularly.  Implement a schedule to change the passwords on your most sensitive accounts on a regular basis, at least once per year but every 6 months would be better.
  • If your site or blog is hosted on WordPress.com your site is secure, but your password may not be.  Consider changing your password and using two-step authentication.
  • This article on the WordPress Codex gives more tips for protecting your WordPress site against a Brut Force attack.  It includes a list of plugins that can limit the number of login attempts