5 Ways to Block Brute Force Attacks

How to Prevent Brute Force Attacks
BlueskyThreadsLinkedInPinterest

5 Ways to Block Brute Force Attacks

hacker proof

Editor note: This article was originally published on 05/02/2019 as "Brute Force Login Attacks. How to Block the Bad Bots". https://brianalawayconsulting.com/brute-force-login-attacks-blocking-bad-bots/
It's been republished on 08/08/2022 as "5 Ways to Block Brute Force Attacks" to reflect updates, changes, and additional information. https://brianalawayconsulting.com/5-ways-block-brute-force-attacks/

What is a brute force login attack?

A brute force attack typically involves automated software (bots) making repeated attempts to access their target. In the case of brute force login attacks against a WordPress website, this is usually against the wp-login.php page.
 
The bots repeatedly try different combinations of user names (i.e. admin, administrator, etc.) and passwords in an attempt to login to your website.
 
If successful, they can (depending on the permissions granted to the compromised user account), install malware, a keylogger (to capture keyboard strokes), or even ransomware.
 
In the last week, I've successfully dealt with brute force login attempts against two different websites.
 
Now if you run WordPress on your site, you might think, no big deal, I have a plugin installed (e.g. Wordfence, iThemes, etc.) so nothing to worry about. WRONG.
 
You might also think, I've got premium hosting support, so I'm protected. NOPE.
 
Both client sites had a security plugin, premium support, and more, i.e. WAF (web application firewall) and a reverse proxy (Cloudflare). 
 
Now to be sure, the above security measures DID perform as they should and helped to mitigate the effects of the attacks.
 

But here's the problem.

Even if brute force attempts against your login are effectively blocked, they can still suck the life out of your server's processor and/or bandwidth.
 
And this can result in legitimate accounts being locked out, site access slowing to a crawl, bandwidth limits being exceeded (more about this below), and potentially other annoying or profit-damaging effects.
 

How to protect your website from brute force login attacks.

First the bad news. It's simply impossible to prevent any public-facing website from ever experiencing these brute force attacks.
 
Blocking these attempts is not too difficult if your site is running WordPress. Follow the steps below.
 

Method 1: Change the WordPress login URL

This one is easy using a WordPress plugin. And there's no shortage of plugins available to accomplish this. Some of the popular ones include:

IThemes Security
Perfmatters
WPS Hide Login

While changing your WordPress login URL won't deter an experienced hacker, the overwhelming majority of attacks on your login URL will be bots that will be blocked. It's best to combine this method with the other methods below for a more complete solution.

Method 2: Install a WordPress security plugin

You can install a security plugin (e.g. Wordfence Security, iThemes Security, All In One WP Security & Firewall, etc.) and most of these are capable of blocking brute force login attempts. However, this should not be your first line of defense. For that, we want to begin at the perimeter edge and work our way in towards the server.
 

Method 3: Enable cPHulk Brute Force Protection in WHM.

Block brute force attacks against other server services

WHM/cPanel provides the cPHulk Brute Force Protection service to monitor and block automated software attacks against

  • cPanel services (Port 2083).
  • WHM services (Port 2087).
  • Mail services (Dovecot® and Exim).
  • The PureFTPd service.
  • Secure Shell (SSH) access.

Make sure cPHulk is enabled in WHM as displayed in the following image.

Enable cphulk brute force protection service in WHM

Once enabled, you can view events in the log file (cphulkd.log) located here: /usr/local/cpanel/logs
Note that you will need root access permissions.

Here's what a brute force event may look like in the log. Note that the remote IP is highlighted in red. The image captures only a small part of all these attempts from the same remote IP.

cphulk brute force login attacks in events

Now that we have identified the attacking IP, we have a couple of options to enhance future brute force attacks.

Method 4: Block brute force login attacks in your server firewall

From the information gathered above, we can block the offending remote IP via your server firewall. While this will block that IP from future attacks, hackers, and bots typically have a large number of IP addresses available. So while blocking a single IP may be helpful, it can easily be bypassed.

But, from the offending IP, we can determine the country of origin. Then, if your site does not receive sales or other benefits from that country, we can block the entire country. This can be done in your server's firewall.

Ask your web hosting support to block the country via the iptables utility as it is less resource intensive than doing so through Apache.

Warning: Blocking a large country via your server firewall can degrade performance, especially if you're not on a dedicated server with substantial resources. Again though this should not be your first line of defense as we combine this with country blocking at the perimeter using a cloud-based WAF. Assuming the cloud waf is properly configured and doing its job,  this shouldn't be a problem as it will perform your country blocking, even in the largest countries. Consider your server country block as just a backup that won't be needed (or consuming resources) most of the time.

Method 5: Use a cloud-based firewall (WAF) to block brute force attacks

Implementing the steps above will go a long way to mitigating the effects of brute force login attacks against your website. However, server resources will still be consumed in the process.

To protect our server and its resources further, we can implement a cloud-based WAF (web application firewall). Examples are incapsula, Sucuri, and the one we'll be using here, Cloudflare.

Using Cloudflare, we can block the same IP(s) that we blocked on our server via the server firewall or the WordPress security plugin. This will give us an extra layer of protection and best of all, won't require using any of our server's resources to do so.

Here's what that would look like, after logging in to Cloudflare.

block ip via Cloudflare

But just like on our server firewall, we can take this a step further by blocking or "Challenging" the entire Country where the IP address originates.

Country block via Cloudflare IP ACCESS rule

However, unlike our server firewall where we can actually block a country, in Cloudflare, country blocking via IP Access rules requires the Enterprise version of Cloudflare, a far too expensive proposition for the average business.
https://developers.cloudflare.com/waf/tools/ip-access-rules/

Country block via Cloudflare firewall rule

Fortunately, we can still execute a country block via a Cloudflare firewall rule. And by grouping countries together in the same rule, we only need one rule!

Country challenge via Cloudflare firewall rule

As an alternative to blocking, we can still "challenge" all site visitors (and bots) from accessing our site. Configuring a Challenge rule in the Cloudflare firewall will present a captcha that must be solved. Doing so at the Country level will enforce this captcha rule to all attempts from that Country. While some sophisticated bots and/or manual attempts may successfully bypass the captcha and gain access to your site, the majority of bad bots will fail the captcha or simply move on to an easier target.

This is what a country "Challenge" looks like in the Cloudflare firewall.

cloudflare country challenge

and once activated, we can see the results of this rule in our Events tab:

Cloudflare country blocking events

In conclusion

While doing any one of the above may prove effective against brute force login attempts, using all of these steps will give us "defense in depth" using a layered approach while mitigating our current as well as future server resource usage in the process.

Bonus Tip: Monitor attacks with real-time notifications

How to get real-time notifications of brute force attempts (or other critical notifications) attacks against your website login.

Log in to WHM and in the search box, search for contact.

Click on Contact Manager in the left menu

monitor brute force login attacks using server notifications

At a minimum, you should configure notifications via email and SMS.

Here's the format to get email notifications via SMS for some of the major carriers. Contact your carrier if it's not listed.

send email via sms

If you enjoyed this post, you may also be interested in Website Security – Hacker-Proof Your Website

Done for You Security

Own a local business in the US? If you own a local service business, e.g. HVAC, plumbing, electrical or another building trade, get this level of done for you security for FREE when you sign up for one of my LOCAL marketing packages. Click to schedule a quick phone call to see if we're a fit.

Get Er Done

Topics

Liquid Web

Managed VPS Hosting

Liquid Web Storm VPS

SEMRUSH

semrush
Novashare Social Sharing PluginWordPress Social Sharing at the speed of light.
Perfmatters WordPress Peformance PluginThe Number 1 Web performance plugin for WordPress.
Fiverr Business
Fiverr Pro
CloudFlare Cloudflare Warp · Jump on the Internet fast lane by installing the WARP app. It's free and protects you from malware and Internet spies! #1dot1dot1dot1 1.1.1.1 — The free app that makes your Internet faster and safer. CloudFlare Warp+
AbuseIPDB Contributor Badge

Sponsored Links

This page contains affiliate links, which means that if you click on one of the product links and then purchase the product, I’ll receive a small fee. You’ll still pay the advertised amount so there’s no cost to you.

BlueskyThreadsLinkedInPinterest
BlueskyBuffer
Share to...
BlueskyThreadsLinkedInPinterestBufferMessengerSMSCopyPrint