In the last couple of weeks our servers were hit pretty hard with Brute Force Attacks. When this happens our servers tend to slow down… a lot! Our server techs were on it and advised us to install some additional precautions and website protection beyond our normal checks and balances.
What this meant was that we had to install a more advanced plugin that would block anyone that seemed suspicious. When we did this the plugin was set, by default, to send 4 sets of emails. This meant many of you received a slew of emails from your website warning you of various hacker attempts.
I wanted to address this issue and give you ways in which we’ve improved your website’s security.
What Is a Brute Force Attack?
A brute force attack is a trial-and-error method used to decode sensitive data. The most common applications for brute force attacks are cracking passwords and cracking encryption keys (keep reading to learn more about encryption keys). Other common targets for brute force attacks are API keys and SSH logins. https://www.cloudflare.com/learning/security/threats/brute-force-attack/
What Is The New Website Security Feature Looking For?
- Anyone that looks like they are attempting to log in with non-existent or prohibited username.
- Protecting any contact forms.
- Monitor file changes and new files that are part of the website’s build and core.
- Anyone that looks like they are searching for vulnerable files.
What Is The Website Protection Doing?
- Log users, bots, hacker and other suspicious activities.
- Restrict access by White IP Access list and Black IP Access List with a single IP, IP range or subnet. This means that if someone is trying to do something they shouldn’t, we’ll completely block their entire IP address.
- Verify the integrity of all WordPress files, plugins and themes.
- Hide wp-login.php, wp-signup.php and wp-register.php from possible attacks.
- Immediately block an IP or a subnet when attempting to log in with non-existent or prohibited username.
- Invisible reCAPTCHA for WordPress comments forms
- Limit login attempts when logging in by IP address or entire subnet.
- and more…
What This Means For Your Website In The Future
We have several layers of website protection and security built into your site to help prevent unauthorized access. With these changes,
Limiting Login Attempts.
One layer of website security is tracking the number of attempts that a wrong username or password is used to log into your site. If we did not put a limit on the number of incorrect login attempts, this would open up the door for a “Brute Force” login.
We want to make it a easy for you to login but we need to make sure we are preventing hackers and other unauthorized individuals from accessing your website. We know it can be frustrating when you try to access your site and you cannot get access. I’ve got some tips below to help you manage your passwords.
Usernames vs. Emails Addresses.
Since usernames can be guessed, we are going to change your username or login ID so that it is the email address you are using for your WordPress account. We’ll be making this change during the month of October, 2018.
If you forget your password and if you’re on your Dashboard login, you can click on the “Forget Password?” link on your login screen. In doing so you’ll be required to enter your email address, which will send you a link to reset it.
This method is the most secure method because then only you will know your password. Nobody on the GlobalSpex team will know it, and it won’t be stored anywhere else (like in your email inbox), which could be insecure. You can of course always ask us to reset your password. We don’t actually have a way to view what your old password was, but we can replace it with a new password.
WikiHow has a great article about how to create a secure password and remember it to prevent hackers from guessing your password.
Another option is to use a password manager that helps you create secure passwords and access your websites easily. We personally use and would recommend LastPass. This service allows you to remember one password for all of your accounts but will also help you generate long, complicated passwords.