You know that moment when you’re standing in front of your door, trying every key on your key ring before finally finding the right one to open the door? A Brute Force Attack is the cyberattack equivalent of that.
A brute force attack is an activity that involves repetitive, successive attempts to break into a website using various password combinations.
The most common type of brute force attack is password guessing. Hackers try different combinations of usernames and passwords repeatedly until they eventually find the one that works and get in.
By default, WordPress allows an unlimited number of login attempts, and hackers take advantage of this vulnerability through brute-force attacks.
When running their attacks, hackers use bots or automated tools to guess your login information, basically letting computers do the work for them. This is one reason why these types of attacks are extremely common.
A brute force attack is dangerous because it can slow down your website and make it inaccessible. What’s more, a successful brute force attack can give hackers access to your site’s admin area, which means they can install malware on your site, steal sensitive user information, and delete everything on your site.
When it comes to brute force attacks, popular CMS platforms (e.g. WordPress, Joomla, etc.) are often targeted. Brute force attacks are also deployed against common services, such as FTP and SSH.
Statistics show that, in recent years, WordPress has been the most affected Content Management System (CMS).
Most brute force attacks work by targeting a website (in most cases, the wp-login.php and xmlrpc.php files).
Every common ID (e.g. “admin” or “administrator”) has a password. Hackers can guess the password by using words in a dictionary.
WP Ghost provides several features to ensure stronger protection against Brute Force Attacks for your site.
Before changing the logout path, it’s essential to activate either Safe Mode or Ghost Mode.
Once you have activated Safe Mode or Ghost Mode, you can proceed to protect the login page against Brute Force Attacks.
You can also activate Brute Force Protection from the Hide My WP Ghost > Overview > Features.
Brute Force will also protect the login forms on other popular plugins, such as Woocommerce, Elementor Page Builder, Divi, etc.
For more compatibility, you can use the brute-force shortcode [ hmwp_bruteforce ] to load WP Ghost Brute Force Protection on any form.
To activate this option, switch on WP Ghost > Brute Force > Settings > Lost Password Form Protection.
This subsection activates the Brute Force Protection for the “Lost Password” form, ensuring attackers can’t brute-force their way into resetting passwords by abusing this form.
Once the option is selected, you will see the reCaptcha next to the email address input on the Lost Password page. The Hacker Bots cannot submit the lost password form and discover the user’s email addresses.
To activate this option, switch on WP Ghost > Brute Force > Settings > Sign Up Form Protection.
This subsection activates the Brute Force Protection for the “Sign Up” form, ensuring attackers can’t brute-force their way into creating multiple fake accounts on your website.
Once the option is selected, you will see the reCaptcha next to the inputs on the Sign Up page. The Hacker Bots cannot submit the lost password form and discover the user’s email addresses.
To activate this option, switch on WP Ghost > Brute Force > Settings > Comment Form Protection.
By activating “Comments Form Protection”, you protect the comment section from brute-force attempts, which could be a point of entry for spam or malicious links through automated hacker bot attacks.
Comment Form Protection will also protect the comment forms on other popular plugins, such as Woocommerce, Elementor Page Builder, Divi, etc.
For more compatibility, you can use the brute-force shortcode [ hmwp_bruteforce ] to load WP Ghost Brute Force Protection on any form.
To activate this option, switch on WP Ghost > Brute Force > Settings > Wrong Username Form Protection.
This option prevents attackers from guessing usernames by blocking attempts when incorrect usernames are entered into the login form.
Wrong Username Protection is very useful when you want to protect your website against automatic user name or email address discoverability right from the start.
Note! We don’t recommend this option if your website is a membership website. Users may forget their login information and get locked out for one hour, which will cause a lot of frustration instead of results.
To activate this option, switch on WP Ghost > Brute Force > WooCommerce > WooCommerce Support.
The Activate Brute Force Protection option also works for WooCommerce shopping websites. If you have WooCommerce installed on your WordPress site, WP Ghost will automatically detect it, in which case you will see the following option:
There are three main Brute Force reCaptcha Protection options available in WP Ghost:
Using these options helps prevent malicious software from engaging in abusive activities on your site without creating friction for legitimate users. Legitimate users will still be able to log in, view pages, and make purchases, while fake users and spam traffic will be blocked.
To make these options visible, switch on WP Ghost > Brute Force > Brute Force Settings > Use Brute Force Protection.
Here’s what each one of these options helps you achieve and how to activate them using WP Ghost.
By activating this reCAPTCHA, WP Ghost will display a widget requesting users solve a mathematical problem when attempting to log in to your site (to prove they are human).
To activate this option, select the WP Ghost > Brute Force > Settings > Math reCAPTCHA option.
You can also customize the Math reCAPTCHA widget and limit the number of failed login attempts a user can perform before he/she is temporarily locked.
The ban duration and the lockout message the user will see on the login page instead of the login form after their IP has been blocked can also be customized.
Default values:
By activating this CAPTCHA, WP Ghost will display the Google reCAPTCHA V2 widget to validate requests with the “I’m not a robot” checkbox. This will either pass the user right away (with No CAPTCHA) or challenge them to validate whether or not they are human.
To activate this option follow these steps:
The Site Key is used to render the reCAPTCHA on your site or mobile application, and the Secret Key is used for server-side validation (authorizes communication between your application backend and the reCAPTCHA server to verify the user’s response). Both keys are unique to the domain for which they are registered.
If the settings are correct, you will be able to log in and check the Google reCaptcha widget on the login popup.
Note! You can customize the default brute force settings as you like.
The reCAPTCHA “I’m not a robot” Checkbox is very useful for fighting against spammers, but its one-time verification doesn’t fit every use case. With WP Ghost, you also have the option to add Google reCAPTCHA V3 protection for your site.
reCAPTCHA v3 returns a spam score for each request without user friction (the scores will be visible within your Google reCAPTCHA account).
The score is based on interactions with your site and enables you to take appropriate actions in the context of your site. Read More: Google reCAPTCHA V3.
To activate this option follow these steps:
The Site Key is used to render the reCAPTCHA on your site or mobile application, and the Secret Key is used for server-side validation (authorizes communication between your application backend and the reCAPTCHA server to verify the user’s response). Both keys are unique to the domain for which they are registered.
If the settings are correct, you can log in and see the Google reCaptcha widget (right corner) in the login popup.
Note! You can customize the default brute force settings as you like.
With WP Ghost, you also have the option to add Google Enterprise reCAPTCHA protection for your site.
Enterprise reCAPTCHA returns a spam score for each request without user friction (the scores will be visible within your Google reCAPTCHA account).
The score is based on interactions with your site and enables you to take appropriate actions in the context of your site. Read More: Google reCaptcha Enterprise.
To activate this option follow these steps:
Note! Make sure you select the same option in WP Ghost to avoid any functionality error.
If the settings are correct, you can log in and see the Google reCaptcha widget (right corner) in the login popup.
Note! You can customize the default brute force settings as you like.
The [ hmwp_bruteforce ] shortcode is a powerful addition to the WP Ghost arsenal. It allows website administrators to seamlessly integrate brute force protection into forms created with page builders that do not automatically load brute force protection from WP Ghost on the login page.
This shortcode acts as a shield, increasing websites’ security infrastructure without compromising user experience or design aesthetics.
Integrating Brute Force Protection in Elementor Login Forms – WP Ghost
Because hackers often use bots to search for security flaws in your website, it is…
The easiest way to change the default media uploads path is to use the WP…
To hide all CSS and JS you need to follow the steps to Combine the…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
When you enable two-factor authentication (2FA) for your WordPress website, it adds an extra layer…