Brute-force, DoS, and DDoS attacks – what’s the difference?
How are they dangerous? What tools or WordPress plugins can mitigate them? What are chances that we can do that successfully? Let’s make things clear with these intruder activities which we see every day on any website.
A brute-force attack is a trial and error method used by hackers to guess credentials or encrypted data such as login, passwords or encryption keys, through exhaustive effort (using brute force) with the hope of eventually guessing correctly. The brute-force attack is still one of the most popular password cracking methods for hacking WordPress today.
A Denial-of-Service (DoS) attack is an attack meant to shut down a website, making it inaccessible to its intended users by flooding it with useless traffic (junk requests). Sometimes DoS attacks are used for destroying computer defense systems. Some functionality of WordPress can be exploited as an attack vector. For instance, CVE-2018-6389.
A DDoS attack is short for Distributed DoS attack. Such attacks are performed by flooding the targeted website with useless traffic from multiple devices or a botnet. A botnet is a network of computers infected with malicious software (malware) without the user’s knowledge, organized into a group and controlled by cyber criminals. Modern botnets can contain tens of thousand of compromised mobile devices or desktop computers. Due to their nature, modern DDoS attacks are costly and requires a lot of resources. Usually, that means you have a strong enemy which have enough gray money to order this kind of attack. Very often performing DDoS attacks are ordered by unscrupulous competitors or political opponents.
So, what’s the difference?
Technically they look different but from a website owner’s point of view, the difference is just in the goal of an attack.
Both, DoS and DDoS attacks have the same goal. And this goal is to push down the victim, the targeted website or web server and make a profit from that. Sometimes the DDoS attack is performing to destroy defense system and obtain administrative access.
The goal of doing brute-force attacks is to obtain admin access to the targeted website to perform some illegal activity intruder/hacker wants to do. Their typical activities are:
- Stealing personal data from a customer database
- Redirecting legitimate users to fake websites to steal their personal data there
- Installing backdoors and trojans on the web server for using it in a long run
- Installing malicious software to infect admin and customer computers
- Adding links to infected websites to website content
Do these attacks really affect WordPress?
By default, WordPress allows unlimited login attempts through the login form, XML-RPC or by sending special authentication cookies. This allows passwords to be cracked with relative ease via mentioned above brute-force attack.
How to protect WordPress and mitigate these attacks
Both brute-force and DoS attacks can be successfully mitigated with security software installed on a website. In both cases, you don’t need to be a nerd and can get that protection for free.
- Brute-force attacks against WordPress can be successfully mitigated with the free WP Cerber plugin. Among other security features, it has protection for XML-RPC and REST API interfaces.
- DoS attacks can be mitigated with a special web server configuration. You can’t achieve that installing a security plugin. The best practice is using NGINX rate limiting rules. Check out our recommendations: Turn your WordPress into Fort Knox.
Unfortunately, DDoS attacks cannot be mitigated on a web server level or just with some WordPress plugin. DDoS attacks can be successfully mitigated only with a special hardware installed on the hosting provider network. Because of mitigating of DDoS attacks involves a lot of resources, it cost money and provided as a service from hosting providers on a subscription basis. Unlike brute-force and DoS attacks, there is no guarantee that all DDoS attacks will be successfully mitigated. Everything depends on how powerful the attack is and how powerful anti-DDoS system provided by hosting provider is and what amount of a network bandwidth hosting provider has.
One of the most affordable solutions for protecting WordPress from DDoS attacks is using Cloudflare service. But there are some minor disadvantages. Those guys will have control over all your DNS records, incoming and outgoing web traffic to and from your website because all traffic goes through Cloudflare servers. Some users reported that Cloudflare even had issues with owners being blocked out of their websites. So, if you have no issues with DDoS, like many of us, there is no a reason to add one extra layer that can generate additional pain in the neck.
Catch up an intruder
You can easily identify a physical source of an attack – a computer, a mobile device, etc.
If you have WP Cerber Security & Antispam installed, check out this post: Know more about intruder’s IP. The most disappointing thing is that the vast majority of those attacks cannot be traced back to a real performer or a master. Every attempt to trace them back ends up with a set of infected home PC or mobile devices that are used as puppets, intermediate points for an attack.
Perhaps, one day, there will not be an anonymous access to the Internet and any person in the World will be responsible for all outgoing traffic from their connected to the Internet devices, but for the time being, all websites are under pressure of hackers activity.
Last posts from WordPress security blog
- How to clean up activity and live traffic logs February 16, 2018
- How to protect WordPress against CVE-2018-6389 DoS attacks February 11, 2018
- WP Cerber Security 6.2 February 7, 2018
- Traffic Inspector and logging how to February 5, 2018
- Development version 6.1.3 February 1, 2018