Minimizing Brute Force Attacks on Joomla’s Backend Using .htaccess

If you’re running a Joomla website and you regularly check your Apache web server logs, you will notice that these logs are full of brute force attacks. These brute force attacks consist of continuous POST requests to your Joomla website, with dictionary based combinations of usernames and passwords, with the hope that one of these combinations will be the right one. Obviously, unless you have a very obvious password, brute force attacks are just a nuisance and nothing more. However, in large numbers, brute force attacks are no longer nuisances, but a major issue, because of the load issues they may cause.

Luckily, blocking brute force attacks on the administration area of a Joomla website is easy. In fact, just last month, we published a post with a ModSecurity rule to block brute force attacks on the backend of a Joomla website.

If you’re not a big fan of ModSecurity, then you can always add an additional layer of authentication on the backend of your Joomla website using the .htpasswd.

The nice thing about the ModSecurity and the .htpasswd methods is that they eventually block the offending IP – but – on the flip side, they are not very easy to implement.

If you want an easier method to minimize brute force attacks on Joomla websites, then you’re in for a treat! Today, we have an easy set of rules that you can simply add to your .htaccess file to minimize such attacks. Here they are (we know you don’t want to wait anymore):

# First redirect from non-www to www as explained here.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^
RewriteRule (.*)$1 [R=301,L]

# Now block brute force logins
# If the request type is POST...
# ... and the referering page is not your website
RewriteCond %{HTTP_REFERER} !^ [NC]
# then block the request
RewriteRule ^(.*)$ - [R=403,L]

The above code should be added to the .htaccess file under your administrator folder. If you don’t have one (which is typically the case for most Joomla websites), then create it and add the above code.

Now let’s explain the rules a bit (we did explain them in the code, but more explanation is never harmful):

  • First we redirect from non-www to www to make things easier.
  • We then check if the request method is of type POST – if it is, then we check if the referring URL is not the actual website (brute force attacks typically post directly to the action page without going through the normal workflow). If it is not, then we block the request with a 403 forbidden. If it is, then we allow the request.

But is this too good to be true?

We hate to say it – but yes – this whole thing is too good to be true, and that’s why we carefully chose the word minimizing instead of blocking in the post’s title. See, the heart of the .htaccess rules that we have is the HTTP_REFERER value, which, unfortunately, can be forged because it is a client set value (e.g. it is set by the client, and not by the server).

Additionally, there are some browser plugins that can automate tasks, including brute force attacks, and these browser plugins make it look like as if the whole thing was initiate by a real user, and not by an automated robot.

But, again, these rules will minimize the brute force attacks – since many attackers don’t even both faking the HTTP_REFERER, so implementing the above code is beneficial to your Joomla website!

Now, if you have some questions on the above, or you need help with implementation, then please contact us. Our fees are affordable, our work is quick, and we really are experts in Joomla security.

No comments yet.

Leave a comment