Brute force site attack

Started by Plan, Aug 24, 2022, 09:13 AM

Previous topic - Next topic

PlanTopic starter

Brute force attack on a site in order to brute-force passwords, that is, stupidly and head-on. Does it really work or does it just load the webserver where the website is located.

I wanted to know your opinion. I recently installed the Limit Login Attempts plugin for my CMS-based WordPress website to protect and log attacks of this type.

I installed it recently and that's what's interesting, there really are attacks and for a not very long time there are already 104 isolations. Basically, there are attacks on the WP-Login admin panel and XMLRPC (some tricky WordPress garbage for remote posting).

Common requests for logins in attempts to crаck a password: the name of your website, demo, test, admin, and various others that are mysterious to me, and even Christmas Piano - are there really such logins.

I installed that plugin due to overloading the server RAM, although this may not be related to this, but to a lot of different plugins that are significant and there may be some errors somewhere. But provider sent letters that the memory was being overused and possible reasons, here is one of them a brute force attack.

But actually my question is, it seems that these attacks were on my website before installing the plugin for a very long time and during this time, and this is about 2 years, and no one went through the password using the brute force method, so why do it if this does not work?


And the hosting provider does not know that you are being brute. Maybe YOUR external script is hammering on your wp-login.php and sends the data you need, and the hosting provider will take and break your whole world.
From this you must defend yourself (well, or hire someone who will set up protection).

Sucked the problem off your finger. The problem is solved by closing the admin panel by ip or should the hosting provider guess your ip from which you will administer?

The problem here is not in hosting providers, but in webmasters who take on websites without knowledge of the matter and sincerely hope that someone else will fill their gaps for them. Take books and read, and do not tell who owes what to whom.


Methods of protection against bruteforce attacks:
Limit the number of attempts to enter a password. In 10 or 20 attempts, a hаcker is unlikely to be able to find the right combination, and this is enough for the account owner to remember the password.
Use hаcking detection systems.
They track suspicious behavior and store information about the device on which it is marked. Also, hаcking detection systems automatically protect the account.

Ask users to come up with complex passwords. The more complex the combination, the harder it is to crаck it with a brute force.
So, now in most large companies, specialists must create passwords with letters of different case, numbers and special characters.
Pentesters still check accounts using brute force: this measure of protection only seems obvious. Complex attacks can exhibit atypical behavior and bypass security software.