Brute Force Attack: Protecting Your Website

Brute force attack is a very basic attack, contrary to what one might think, it has become very easy to perform this type of attack thanks to simple to use tools such as Fireforce, Cain & Abel and John the Ripper.

Brute force attack: how does it work?

The principle of the attack is to try several times to find the password of a file or an application by testing all possible combinations of characters until the password is discovered.

The brute force attack can also be sanitized using a dictionary with the same principle. The data is drawn in a list which contains all the possible values ​​of a password, it is for that, it is always necessary to avoid the use of the words of a dictionary in your passwords.

To make this attack work, hackers will often use software that automates the testing of password combinations until a correct combination is found.

With the increase in computing power of computers, brute force attacks have become more efficient, hackers can perform thousands of login attempts per second. That's why it's important to take steps to protect your website against this type of attack.

Protect your website from a brute force attack

There are several methods to protect a website against brute force attacks:

Identify the attacker

The solution to identify the attacker is to mark him by giving him a cookie, or using his IP address. But unfortunately these two techniques are no longer sufficient, because the hacker can change his IP address using a proxy, or a VPN or simply by restarting the connection modem.

Block attacker's IP address

If you notice an IP address making an extreme number of bad connection attempts, then configure your Apache server to block that IP address.

Apache has commands to deny access to these addresses using directives ,> and , that's why you can use User agent, or the information available in the HTTP headers.

To prohibit access to an IP address you can use: deny from

Or for all IP addresses starting with 10.0: deny from 10.1

This is the most effective method to block a remote user thanks to the web server which is in charge of processing HTTP requests.

Block the attacker with the Cookie

If an attacker has entered ten attempts, we create a cookie that will allow us to mark them when they return to the site. This cookie should block it for X minutes. It is a small protection which is simple and which can spare you some difficult situations.

The script is as follows:

if ($_COOKIE['counter'] 10) {
header("HTTP/1.0 404 Not Found" quot;);
setcookie('counter',$_COOKIE['counter'] + 1, time() + 3600); ?>

Admittedly, the script is basic but terribly effective against this type of attack!

What can I say that the attack by Brute Force is more likely to fail if you react faster.

To make it harder for hackers to do their jobs, you can also add timing, an extra layer of protection.

Time delay

Timing is a complementary technique which consists in preventing attempting more than 2 attempts in a row per n seconds. Your visitors will not see any change if you take a margin of 2 seconds, while the robot which must enter hundreds of attempts per second will be delayed. So like that you reduce the attack speed.

To add the time delay, there are functions sleep () et drag () from PHP

Function sleep () is expressed second and drag () in microsecond.

Here is an example:

sleep(1); // pause for a second
usleep(1000000); //pause for a second

Other methods to protect your site from brute force attacks

Here are other methods to protect your website against brute force attacks:

Limit connection attempts

You can limit the number of login attempts to an account or login form by using security plugins for your content management system (CMS) or by writing custom code.

Using a firewall

You can use a firewall to block IP addresses that make too frequent connection attempts. There are security plugins for CMS that include this functionality or cloud firewall services.

Using Two-Factor Authentication

Using two-factor authentication (2FA) makes accounts more difficult to hack because it requires a second factor of authentication, such as a code sent via text message or authenticator app to be used in addition to the password .

Strengthen passwords

By using password complexity rules and encouraging your users to choose strong, unique passwords, you can reduce the risk of a brute force attack.

Use of captchas

Using captchas can help prevent automated attacks. They are tools used to distinguish human users from automated programs, such as robots or malicious scripts. Indeed, captchas can be effective in blocking brute force attacks and most other forms of automation.


It is important to note that no security measure can guarantee absolute protection against brute force attacks, so it is important to continue to regularly monitor your site's login activities and update security measures regularly. square.