Joomla is second largest Open Source CMS platform powering millions of websites from small to enterprise level.
There are many techniques used by a hacker to attack a site, and one of the popular ones is Brute Force Attacks.
As you can see it stand out as the fifth position in the latest report by WhiteHat Security.
Brute Force can happen to any other platform like WordPress, Magento, Drupal or even the server OS.
Technically, any platform/, service, API, etc. which is password protected can be a victim of brute force attacks.
Good news is mitigating brute force attacks not as hard as other vulnerabilities.
If you are running your blog, business website, eCommerce on Joomla CMS and looking for Brute Force mitigation solution then the following will help you.
Admin Brute Force Protection
- Add access key – include extra key in Joomla administrator URL
- Add key value – include key and value in administrator URL
Block the login request if brute force detected by detecting max attempts and option to notify admin by email.
To hide login, you may also try KSecure plugin.
SUCURI Firewall is an all-in-one cloud-based security provider to protect a multi-platform website from brute force attacks, bad bots, DDoS attacks, SPAM, SQL injection, etc.
If you are looking for comprehensive Joomla security solution, then SUCURI would be a good choice.
SUCURI WAF (Web Application Firewall) run on globally distributed anycast network which means you get protection and enjoy the global CDN performance optimization.
Brute Force Stop
Brute Force Stop is another FREE extension which let you configure the block threshold & block duration.
- Block threshold – after how many attempts the IP will be blocked
- Block duration – for how long the IP will be in block list
You also have an option to configure the blocked message, configure a notification, etc.
Clef is one of the fantastic ways to mitigate the brute force by replacing traditional username and password with your mobile phone.
Go password-less with clef two-factor authentication and let the magic happens in the background.
Enable Two-Factor Authentication
Starting from Joomla 3.2 let you enable two-factor authentication with Google Authenticator & YubiKey authentication method without installing any additional plugin.
2-factor authentication cut down the brute force attempts and one of the best way to add a layer of login security.
RS Firewall is a premium security extension to secure Joomla website from the following vulnerabilities include brute force attacks.
- SQL injection
- Cross-site scripting
- Local file intrusion
You can enable to log all the blocked attempts so you can review the logs and permanently block suspicious IP if needed.
RS Firewall also gives you an option to block continents and countries.
You may also consider the following extensions.
Akeeba Admin Tools – a premium extension to maintain, protect and optimize Joomla website.
Limit Login Attempts – free plugin to limit login attempts, block IP, limit lockout, lockout notification email, etc.
DMC Firewall – password protects administrator folder, perform a health check, ban suspicious IP, etc.
Cloud Flare WAF
Cloud Flare is one of the popular CDN & cloud-based Security solution providers for any websites.
The FREE Plan offer basic security, however, if you are ready to spend few dollars then you can go with PRO plan which comes with many other features with cloud-based WAF including brute force protection.
Brute force can be dangerous as it may take your online business down for financial and reputational loss. I hope the above solution help you to protect your Joomla web site from Brute Force attacks.