HostingReviewASP.NET | How to Protect Joomla Site from Brute Force Attack. If you are a Joomla website owner and you’re hosting that site, maybe you will constantly getting these types of attacks on your servers. Brute-force attacks on Joomla sites are common these days. The reality website owners must face is that hackers are in control of large farms of hacked computers. These computers can be used to coordinate massive brute-force attacks on a website. In this post, we will share a few ways to reduce the chance that someone gains unlawful access to your Joomla websites by way of brute-force attacks.
A brute force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.
In short, a brute force attack is trying to force itself into your website administrator by trying every combination of username and password it can come up with.
There are two main problems with this for you as a website owner. Obviously, it’s not good having people snoop around in your Joomla admin with super administrator rights. That’s a given. The other thing to be concerned a about is the fact that such attacks take away a lot of capacity from your server.
There are several things you can do to protect Joomla site from brute force attack. Longer and more complex usernames passwords is one, blocking access to the site is another.
You’ve heard it time and time again: Make sure you have strong passwords! Usernames are important, too. We have made it a habit to never use ’admin’ or ’administrator’ or anything like it as usernames on our websites. We choose a unique username for each site. When it comes to passwords, we always use 20 random alphanumeric characters or more, in a combination of lower and upper case, and with some symbols thrown in. And we never use a password for more than one website. 20 characters, you say? How on earth do you remember that? Just try three words: like “Password Management Software”.
You can use LastPass.com to both generate and manage your passwords. 1Password also good as well, so if you’re on a Mac you might wanna try that out. Using these tools, there is no problem managing hundreds, or thousands of passwords with ease. Just make sure you have a solid master password, and you might consider investing in a Yubikey for a two-factor authentication with Joomla.
Another method of avoiding the perils of brute force attacks is to restrict access to the website or server based on the attackers IP or IP range. There are several ways to do this:
We recommend AdminExcile as an excellent plugin for Joomla 2.5 or later. It lets you block IPs after a certain amount of failed password attempts, and you can set how long the block will be in effect for. This has proven very effective, as it can avoid some very nasty attacks.
We recently had an attack on a website where over 4000 machines tried to brute force their way into a Joomla site. It didn’t succeed, and we managed to block the IPs permanently rather quickly. Another day, we had 25000 brute force attempts on another website. That’s when we adjusted the AdminExcile plugin to block the perpetrators after fewer attempts and for a longer period of time. That definitely helped. The main reason the attack didn’t succeed was strong passwords. AdminExcile, however, can prevent your site from going down by blocking the IPs after X failed attempts.
On Apache servers, you can add IP addresses to your .htaccess file. This will prevent those IP addresses from even reaching your Joomla administrator page or any other page on your website. Here’s a tool that makes it easy to create the snippets you need for your .htaccess file.
Example code:
Order Deny,Allow
Deny from 199.442.33.32
If you’re on a dedicated server or your own network, blocking IP ranges on the firewall might be a good option. Be advised, though, that this may block some valid traffic to your site. For some sites, this won’t be a problem. If you have a local site that has no clients from outside my country, you can block IP addresses from a whole country if we so wish. It won’t affect your business. If you’re business is international, you need to consider this more carefully and pinpoint specific IP addresses or limited ranges.
Brute force attack is probably something we need to live with. There are, however, quite a few things you can do to limit the chance of someone succeeding with such an attack. If you have done all the ways above but still didn’t get a satisfied result, you can contact your hosting provider’s technical support. A good an reliable hosting provider will ready to help you against the technical problem of your Joomla site. Maybe you’ve been tired with the slow, unprofessional and unhelpful support from your hosting provider. We highly recommend to move your Joomla site to HostForLIFE.eu‘s server. They hired an army of the very best technicians, managers and web hosting gurus. That means they provide you clear, professional and fast support. Their team are always standing by to respond to your queries around the clock, big or small, 24×7, 365 days a year. Also, you can contact their support via all standard communication channels by e-mail, through the ticketing system, or via an online form.
Now, HostForLIFE offers you the latest Joomla 3.4.3 hosting with unlimited domain, unlimited disk space and bandwidth. With the 1-click World Class Plesk tool installer you will have installed Joomla 3.4.3 in a couple of minutes with no complex settings and necessary technical skills. To see more information, you can go to their official site.