What is a Brute Force Attack?
You know that moment when you’re standing in front of your door, trying every key on your key ring before finally finding the right one to open the door? A Brute Force Attack is the cyberattack equivalent of that.
A brute force attack is an activity that involves repetitive, successive attempts to break into a website using various password combinations.
The most common type of brute force attack is password guessing. Hackers try different combinations of usernames and passwords repeatedly until they eventually find the one that works and get in.
By default, WordPress allows an unlimited number of login attempts, and hackers take advantage of this vulnerability through brute-force attacks.
When running their attacks, hackers use bots or automated tools to guess your login information, basically letting computers do the work for them. This is one reason why these types of attacks are extremely common.
A brute force attack is dangerous because it can slow down your website and make it inaccessible. What’s more, a successful brute force attack can give hackers access to your site’s admin area, which means they can install malware on your site, steal sensitive user information, and delete everything on your site.
Which Websites Are Targeted by Hackers?
When it comes to brute force attacks, popular CMS platforms (e.g. WordPress, Joomla, etc.) are often targeted. Brute force attacks are also deployed against common services, such as FTP and SSH.
Statistics show that, in recent years, WordPress has been the most affected Content Management System (CMS).
Most brute force attacks work by targeting a website (in most cases, the wp-login.php and xmlrpc.php files).
Every common ID (e.g. “admin” or “administrator”) has a password. Hackers can guess the password by using words in a dictionary.
WP Ghost provides several features to ensure stronger protection against Brute Force Attacks for your site.
How to Secure WordPress with Brute Force Protection
Activate Safe Mode or Ghost Mode
Before changing the logout path, it’s essential to activate either Safe Mode or Ghost Mode.
- Access your WordPress dashboard after installing and activating the WP Ghost plugin.
- Go to WP Ghost > Change Paths > Level of Security.
- Select Safe Mode or Ghost Mode. Safe Mode provides basic protection, while Ghost Mode offers more advanced security features.
Activate Brute Force Protection
Once you have activated Safe Mode or Ghost Mode, you can proceed to protect the login page against Brute Force Attacks.
- Switch to the User Brute Force Protection option to activate the Brute Force Protection on the login page.
- Click the Save button to apply the changes.
You can also activate Brute Force Protection from the Hide My WP Ghost > Overview > Features.
Brute Force will also protect the login forms on other popular plugins, such as Woocommerce, Elementor Page Builder, Divi, etc.
For more compatibility, you can use the brute-force shortcode [ hmwp_bruteforce ] to load WP Ghost Brute Force Protection on any form.
Lost Password Form Protection
To activate this option, switch on WP Ghost > Brute Force > Settings > Lost Password Form Protection.
This subsection activates the Brute Force Protection for the “Lost Password” form, ensuring attackers can’t brute-force their way into resetting passwords by abusing this form.
Once the option is selected, you will see the reCaptcha next to the email address input on the Lost Password page. The Hacker Bots cannot submit the lost password form and discover the user’s email addresses.
Sign Up Form Protection
To activate this option, switch on WP Ghost > Brute Force > Settings > Sign Up Form Protection.
This subsection activates the Brute Force Protection for the “Sign Up” form, ensuring attackers can’t brute-force their way into creating multiple fake accounts on your website.
Once the option is selected, you will see the reCaptcha next to the inputs on the Sign Up page. The Hacker Bots cannot submit the lost password form and discover the user’s email addresses.
Comment Form Protection
To activate this option, switch on WP Ghost > Brute Force > Settings > Comment Form Protection.
By activating “Comments Form Protection”, you protect the comment section from brute-force attempts, which could be a point of entry for spam or malicious links through automated hacker bot attacks.
Comment Form Protection will also protect the comment forms on other popular plugins, such as Woocommerce, Elementor Page Builder, Divi, etc.
For more compatibility, you can use the brute-force shortcode [ hmwp_bruteforce ] to load WP Ghost Brute Force Protection on any form.
Wrong Username Protection
To activate this option, switch on WP Ghost > Brute Force > Settings > Wrong Username Form Protection.
This option prevents attackers from guessing usernames by blocking attempts when incorrect usernames are entered into the login form.
Wrong Username Protection is very useful when you want to protect your website against automatic user name or email address discoverability right from the start.
Note! We don’t recommend this option if your website is a membership website. Users may forget their login information and get locked out for one hour, which will cause a lot of frustration instead of results.
WooCommerce Protection
To activate this option, switch on WP Ghost > Brute Force > WooCommerce > WooCommerce Support.
The Activate Brute Force Protection option also works for WooCommerce shopping websites. If you have WooCommerce installed on your WordPress site, WP Ghost will automatically detect it, in which case you will see the following option:
Brute Force reCaptcha Options
There are three main Brute Force reCaptcha Protection options available in WP Ghost:
- Math reCAPTCHA Protection.
- Google reCAPTCHA v2 Protection.
- Google reCAPTCHA v3 Protection.
Using these options helps prevent malicious software from engaging in abusive activities on your site without creating friction for legitimate users. Legitimate users will still be able to log in, view pages, and make purchases, while fake users and spam traffic will be blocked.
To make these options visible, switch on WP Ghost > Brute Force > Brute Force Settings > Use Brute Force Protection.
Here’s what each one of these options helps you achieve and how to activate them using WP Ghost.
Math reCAPTCHA Protection
By activating this reCAPTCHA, WP Ghost will display a widget requesting users solve a mathematical problem when attempting to log in to your site (to prove they are human).
To activate this option, select the WP Ghost > Brute Force > Settings > Math reCAPTCHA option.
You can also customize the Math reCAPTCHA widget and limit the number of failed login attempts a user can perform before he/she is temporarily locked.
The ban duration and the lockout message the user will see on the login page instead of the login form after their IP has been blocked can also be customized.
Default values:
- The maximum number of failed login attempts is set to: 5
- The ban duration is set to: one hour
- The Lockout Message that will show instead of the login form is: Your IP has been flagged for potential security violations. Please try again in a little while.
Google reCAPTCHA V2 Protection
By activating this CAPTCHA, WP Ghost will display the Google reCAPTCHA V2 widget to validate requests with the “I’m not a robot” checkbox. This will either pass the user right away (with No CAPTCHA) or challenge them to validate whether or not they are human.
To activate this option follow these steps:
- Select the WP Ghost > Brute Force > Settings > Google reCAPTCHA V2 option.
- Create a Google reCaptcha V2 on your Google account. Learn how to create a new Google reCaptcha V2 site.
- Copy and paste the Site Key and Secret Key from Google reCaptcha settings into the WP Ghost > Brute Force > Settings > Google reCaptcha V2 fields.
The Site Key is used to render the reCAPTCHA on your site or mobile application, and the Secret Key is used for server-side validation (authorizes communication between your application backend and the reCAPTCHA server to verify the user’s response). Both keys are unique to the domain for which they are registered.
- The reCaptcha Theme option lets you customize the widget’s color theme. You can choose either a Light or a Dark Theme.
- The reCaptcha Theme option allows you to specify the widget’s language. If unspecified, it auto-detects the user’s language based on the site’s language.
- Next, you will see the same default options that were also available in the Math reCAPTCHA:
- The maximum number of failed login attempts is set to: 5
- The ban duration is set to: one hour
- The Lockout Message that will show instead of the login form is: Your IP has been flagged for potential security violations. Please try again in a little while.
If the settings are correct, you will be able to log in and check the Google reCaptcha widget on the login popup.
Note! You can customize the default brute force settings as you like.
Google reCAPTCHA V3 Protection
The reCAPTCHA “I’m not a robot” Checkbox is very useful for fighting against spammers, but its one-time verification doesn’t fit every use case. With WP Ghost, you also have the option to add Google reCAPTCHA V3 protection for your site.
reCAPTCHA v3 returns a spam score for each request without user friction (the scores will be visible within your Google reCAPTCHA account).
The score is based on interactions with your site and enables you to take appropriate actions in the context of your site. Read More: Google reCAPTCHA V3.
To activate this option follow these steps:
- Select the WP Ghost > Brute Force > Settings > Google reCAPTCHA V3 option.
- Create a Google reCaptcha V3 on your account https://www.google.com/recaptcha/admin.
- Copy and paste the Site Key and Secret Key from Google reCaptcha settings into the WP Ghost > Brute Force > Settings > Google reCaptcha V3 fields.
The Site Key is used to render the reCAPTCHA on your site or mobile application, and the Secret Key is used for server-side validation (authorizes communication between your application backend and the reCAPTCHA server to verify the user’s response). Both keys are unique to the domain for which they are registered.
- Next, you will see the same default options that were also available in the Math reCAPTCHA:
- The maximum number of failed login attempts is set to: 5
- The ban duration is set to: one hour
- The Lockout Message that will show instead of the login form is: Your IP has been flagged for potential security violations. Please try again in a little while.
If the settings are correct, you can log in and see the Google reCaptcha widget (right corner) in the login popup.
Note! You can customize the default brute force settings as you like.
Google reCAPTCHA Enterprise Protection
With WP Ghost, you also have the option to add Google Enterprise reCAPTCHA protection for your site.
Enterprise reCAPTCHA returns a spam score for each request without user friction (the scores will be visible within your Google reCAPTCHA account).
The score is based on interactions with your site and enables you to take appropriate actions in the context of your site. Read More: Google reCaptcha Enterprise.
To activate this option follow these steps:
- Select the WP Ghost > Brute Force > Settings > Google reCAPTCHA Enterprise option from the sidebar.
- Select the WP Ghost > Brute Force > Settings > Google reCAPTCHA option.
- Activate reCaptcha on your Google Cloud and Create a Google reCaptcha Enterprise Key on your Google Cloud account https://console.cloud.google.com/security/recaptcha.
- If you want the reCaptcha to load a challenge box with “I’m not a robot” option, open the extra options from behind the Domain list and switch off the option Use checkbox challenge.
Note! Make sure you select the same option in WP Ghost to avoid any functionality error.
- Click on the Create Key buttons to create the new reCaptcha key for your domain.
- Copy and paste the Site Key ID from Google reCaptcha settings into the WP Ghost > Brute Force > Settings > Google reCaptcha > Site Key fields.
- Now, copy the project ID from Google Cloud into your Google reCaptcha Project ID.
- And the last thing, create a Google Cloud API Key and copy the API Key into WP Ghost settings. You can create a new API key from https://console.cloud.google.com/apis/credentials.
- Next, you will see the same default options that were also available in the Math reCAPTCHA:
- The maximum number of failed login attempts is set to: 5
- The ban duration is set to: one hour
- The Lockout Message that will show instead of the login form is: Your IP has been flagged for potential security violations. Please try again in a little while.
If the settings are correct, you can log in and see the Google reCaptcha widget (right corner) in the login popup.
Note! You can customize the default brute force settings as you like.
Brute Force Shortcode
The [ hmwp_bruteforce ] shortcode is a powerful addition to the WP Ghost arsenal. It allows website administrators to seamlessly integrate brute force protection into forms created with page builders that do not automatically load brute force protection from WP Ghost on the login page.
This shortcode acts as a shield, increasing websites’ security infrastructure without compromising user experience or design aesthetics.
Integrating Brute Force Protection in Elementor Login Forms – WP Ghost