Brute Force Attack – What it is and How to Block It

Brute-force is a method of guessing your password by trying combinations of letters, numbers and symbols. Some brute-force attacks utilise dictionaries of commonly used passwords, words, etc. in order to speed up the process of guessing users passwords.

The first thing you need to do in order to protect yourself from such attacks is to choose an appropriate username and password. Try not to use common names for your username as admin, administrator, superuser. Regarding your password, try using as complicated one as possible and include numbers, special characters, upper-case and lower-case letters. There are free generators that create long and strong passwords for you to use. If you have experience issues remembering long passwords, you can use password vaults like 1Password for example.

If you detect that someone has launched a brute-force attack against your site (such attacks generate huge amount of fail login attempts in your log), you can block the attackers IP address from accessing your site completely. To do that, simply add the following line to your .htaccess file:

Replace 123.123.123.123 with the actual IP address of the hacker. In addition, you should restrict the admin areas of your site only for your address. In case you use WordPress, that should be your 'wp-admin' folder. If you use Joomla - you'll need to protect the 'administrator' directory. Actually, that's a good practice and it's good to do it even if there is no attack against your site. The actual .htaccess rules you need to place in those folders are:

Replace 222.222.222.222 with your IP address. To find out what is your IP, you can use one of the many sites providing that information like whatismyip.com for example.

Last but not least, please contact our Support team through your Help Desk in order to receive additional assistance on that matter.

3 Comments

  1. Reply January 31, 2017 / 20:30 GeckohaleSiteGround Team

    The IP you allow is your browser IP you use to access the website? Not the actual website address, correct?

    Doesn't the:
    deny from all
    allow from 222.222.222.222
    block all access from everyone EXCEPT your browser IP?

  2. Reply January 31, 2017 / 20:31 GeckohaleSiteGround Team

    Sorry ... I meant to add "to your entire site". How do you tell it you just want to block a particular directory?

    • Reply February 1, 2017 / 13:32 Ivan AtanasovSiteGround Team

      If you create an .htaccess file in the directory you wish to block access to (for example wp-admin for WordPress, and administrator for Joomla as mentioned in the article), you can simply create an .htaccess file there adding the following code in it:

      deny from all
      allow from 222.222.222.222

      Replace 222.222.222.222 with your actual IP. Let us say that you added the code in an .htaccess file located in the wp-admin folder - in this case you will deny access for everyone except the specified IP (add as many "allow from" lines specifying the IPs that you wish to grant access to the wp-admin directory)

* (Required)