Protect your Joomla site from Brute Force attacks

  • Monday, 19 August 2013

We've all heard that we need a strong username and password to secure the Joomla Administrator. But, nobody's going to guess your password, right? Well... 

Your login area could be under attack at this very moment by bots systematically bombarding it with thousands of username and password combinations. Here's a 2 minute exercise to see if your site is experiencing "Brute Force" attacks.

  1. Open your FTP client and access your site.
  2. Navigate to the public_html/logs/ folder in your site root.
  3. Download the file error.php to your desktop
  4. Open it in a text editor.

What do you see? Do you see thousands of lines like this?

2013-07-26 19:18:23 INFO 123.456.78.90 Joomla FAILURE: Username and password do not match or you do not have an account yet.

Each line represents a failed log in attempt. We usually see between 10,000 and 40,000 failed login attempts depending on the popularity and age of the site. The most popular site we manage was logging over 100,000 failed logins each month until we installed an extension to detect and counter Brute Force attacks. Let us know in the comments how many of these messages were found in your logs.

What is a Brute Force attack?

Brute Force is a method of attacking a website by systematically bombarding the login page with username and password combinations. This method of Brute Force attacking a site is very common. Most Joomla Admins use the default Super Users password of 'admin'. And, can you believe the most popular password in the world is 'password'? Followed by combinations of '123123', '123456', 'qwerty' or common words like 'baseball' and 'monkey'. See Splashdata.

Hackers use automated bots which are programmed to crawl the web looking for the administrator/ folder for Joomla sites and wp-admin/ for Wordpress sites. Once located they go to work submitting login details over and over and over. These scripts run constantly, completely automated, day and night. When a successful login occurs the hacker will get a notification and your site is compromised.

The fact is, if you use a simple login and password to access your site, there's a high chance hackers will eventually discover it.

How do I counter brute force attacks on my Joomla site?

You can counter this on your Joomla site by configuring a security component like Admin Exile, Max Failed Login Attempts(2.5 only) or Brute Force Stop. But, you can't control Brute Force attacks on sites you don't own so always use a different login and password combination and use a combination of lowercase, uppercase, numbers, letters and symbols.

Joomla staff recently wrote an article on The Importance of Using a Strong Username and Password which provides some great methods of creating super strong passwords that are also easy to remember.

If you need help securing your site drop me a line.

john-pitchers-avatar-300About John Pitchers

John Pitchers is a specialist in back-end Joomla development and development of Joomla based websites. He is also the developer of the FocalPoint maps extension for Joomla. John has been building CMS based web sites since 2004, originally working with Mambo before it became Joomla. When not writing PHP, Javascript or CSS you'll find John carving up the hills around Baldivis on his longboard (long before Walter Mitty made it famous).

Find out more about John on his page and . Follow John on Twitter.