5 Steps To Prevent Brute Force Attack in PHP

Published on: June 16, 2020

5 Steps To Prevent Brute Force Attack in PHP

There are around 12-24 million eCommerce stores on the internet today. With this huge number of websites comes severe security threats. One of them is the Brute Force Attack. Did you know that the Brute Force Attack has increased by 400% since 2017 and is still increasing? In this article, we will discuss all about Brute force attack in PHP and ways to prevent them.

&lt Brute-force attack in PHP
(Source: Varonis)

What is a Brute Force Attack in PHP?

Brute force is a hacking technique used for guessing the user by trying various possible login credentials. Brute-force involves trying thousands of login credentials repeatedly in a short time span until the attacker succeeds. A Brute-force attack can be time-tedious but with automated tools and sophisticated methods, it has become super easy to gain access to your website.

&lt Brute force attack
(Source: Edureka)

As the picture depicts, first, there is a brute force tool to which the attacker feeds leaked usernames and passwords, or a username and a list of passwords, or a password and a list of usernames. The brute force tool will send these usernames and passwords to the web applications where they are authenticated and checked whether the credentials were right or wrong.

Types of Brute Force Attacks

  • Credential Stuffing:- In this type of attack, the attacker has a list of usernames and passwords. He will take a username and try all the passwords from the list of passwords.
  • Hybrid Brute-force attacks:- As the name suggests, it is a hybrid of a dictionary attack and a brute-force attack. This means that the dictionary attack will include a list of words for possible passwords and the brute-force attack will go through the list of passwords.
  • Reverse Brute-force attack:- It is the exact opposite of credential stuffing. Instead of using a username against a list of passwords, it uses a password against a list of usernames.

Brute Force Attack in PHP

A brute force attack is a technique of finding correct login credentials for a website. This attack can put your customers’ data and credit/debit card data at risk along with your admin account and your website’s credibility. Example 1:-The attacker takes a wordlist of known web pages and then sends a request to each page to analyze the HTTP response to determine whether the web page exists or not. Brute force attack tool used for this attack is: DirBuster

(Source: OWASP)

In the output above, it shows that PHPMyAdmin/directory is found. This data can be used by the attacker to steal your data. Example 2:-Alibaba, a brute force attack in 2016 affected dozens of accounts.

Test if your PHP website is vulnerable to Brute-force attacks

Before diving deep into the ways to prevent a Brute-force attack in PHP, you must know if there is a possible threat to your PHP website. Take a penetration testing on your PHP website for possible threats and vulnerability assessments.

Symptoms of a Brute-force attack

  • When someone is trying to brute attack your website, your server will heat up and it will slow down.
  • During an attack, you will get a number of server requests that will heat your website.
  • Extreme resource consumption is one of the most common symptoms of a Brute-force attack in PHP. It is the use of an unusual amount of bandwidth after a successful login.
  • You will start experiencing an unusually high traffic.
  • You will receive notifications of an unusually high number of failed login attempts from the same IP address.

5 Steps to Prevent Brute Force Attack in PHP

A brute force attack is relatively easy to detect as compared to other attacks such as SQL injection attack, backdoor attack, etc. The symptoms listed above are quite easy to notice. But this doesn’t mean that it is relatively easier to prevent. Easy detection does not equate to easy prevention in this scenario. To prevent an attack on your PHP website, you will need to follow the following steps:

a) Use strong passwords

You might find the idea of using a strong password silly. After all, who will ever be able to guess what your password is! Well, let me burst your security bubble. If you are using the easiest possible password, then you are at a high-security risk. For instance, you used numbers like ‘17894’ as your password. For each place, an attacker will have to guess 10 times, and for the complete combination, it may be a couple of 100 times. This may seem to be a lot to you. But for an attacker, it is next to nothing. Here are certain combinations that you can use:

  • Mix uppercase letters with lowercase letters.
  • You can use letters with numeric values.
  • You may also combine letters, numbers and characters for extra security.
(Source: WikiHow)

b) Limit login attempts

If you limit the login attempts to your website, the user will be stopped after 2 or 3 unsuccessful login attempts. For this, you will have to create codes that will authenticate the entry of correct credentials. Also, put a stop to multiple login attempts from the same IP address.

&lt Brute force attack prevention in PHP
(Source: StackOverflow)


Using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) can help you strengthen the defense of your website. It can verify whether the login attempt is being made by a human being or a robot. There are certain ways to introduce CAPTCHA to your website:

  • The most commonly used CAPTCHA is to select the boxes in which the specified object can be seen.
  • You can also use a combination of characters and numbers to be entered before the attempt is authenticated.
  • You can add “Answer a security question” to the CAPTCHA that only a genuine user will know.
&lt Brute force attack in PHP
(Source: Medium)

d) Multi-factor Authentication

Multi-factor authentication is a highly reliable prevention technique to brute force attacks in PHP. This authentication will add two-layer security to your website. To implement MFA, you can use the credentials as the first layer and then email as the second layer. You can change the layers as per your choice. This can vary from verifying your email or phone number to answering a security question related to your childhood.

&lt brute force attack in PHP
(Source: SpaceOTechnologies)

e) Time Delays

Implementation of time delays between login attempts is not a preventive measure but more of a defensive measure. It can slow down an incoming attack but cannot prevent it.

f) Firewall

Using a firewall on your website is without a doubt the best way to secure your eCommerce store. We can go on and on about being careful in using strong passwords, limiting login attempts, adding security questions, etc. But let’s face it! We know that during an attack, no such measures will help you. A firewall, on the other hand, will ensure the safety of your website. We provide the best security at the best price. If you want to know more about ASTRA security, visit us today.

&lt astra
Type caption (optional)

Security features of ASTRA firewall among the many include:

  1. Blacklist monitoring
  2. Country blocking
  3. Stop Brute-force attack
  4. Prevent bot attacks
  5. Vulnerability Assessment and Penetration Testing
  6. Human Assistance
  7. Immediate action


A brute force attack in PHP can take a disastrous turn without your notice. Therefore, it is imperative that you take the necessary steps in that area. If you are unable to secure your website, we are here for you. We hope that this article has provided you with what you were looking for. If you have any queries, visit us on our official website: ASTRA Security and we will be delighted to help you out!

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany