Your web3 business is growing, and everything is going great. You wake up one morning and all of your holders are posting on Тwitter that they have been hacked. You quickly jump into Discord to see if any apps were compromised, but everything looks fine. You check your website and notice something strange. The link to your minting page and wallet connect appear to be altered. At this moment, you realize you’ve been a victim of a web3 hack.
Unfortunately, this scenario is all too common in the Web3 space. Project founders and teams overlook some of the most obvious security protocols that can lead to millions of dollars hacked and stolen from their holders. However, there are simple steps projects can take to secure their platforms, protect their IP (Intellectual property), and prevent their users from getting hacked. In this article, we’ll discuss specifically how brute force attacks are on the rise, and what can be done to prevent them from destroying your project.
What are Brute Force Attacks?
Brute force attacks involve accessing an online account by “stuffing” usernames and passwords into the login page. This can be done using a simple computer program, a botnet or sophisticated data centers built for malicious intent. A successful brute force attack can disable a website, steal sensitive info from users, and even spread dangerous malware onto your personal computer. These attacks have been successful at hacking some of the most secure and powerful websites including GitHub, Spotify, and e-commerce giant Alibaba’s Taobao.
Why are Brute Force Attacks Gaining Popularity In Web3?
Even before web3, brute force attacks have always been a simple, yet effective way for hackers to infiltrate a website. However, a successful attack on a web3 business could give a hacker access to the wallets of their holders by planting malicious links throughout the website. This can be especially dangerous for NFT projects that are in the minting process. If the minting link is altered, users could sign the wrong contract and lose everything in minutes. There is also the allure of crypto as a currency of choice for hackers since it’s harder to track. Needless to say, there are major incentives for hackers to target web3 businesses right now, and they will be successful doing it.
How Do I Know If My Web3 Website Is Under Attack?
When your website is under attack, it’s sometimes very difficult to know if it’s successful. Sometimes the hacker may wait weeks or months before they deploy any changes. This is why it’s important to have a good defense from the start.
Common symptoms when your website is under attack
- Website loads very slowly or not at all
- Traffic spikes to the website from foreign countries
- Notifications of failed login attempts (if using login protection apps/plugins)
- Messages from users that report the site working ‘slow’ or ‘broken’, and offer to help fix it for a fee.
If you notice any of these symptoms, the first thing to do is to contact your web hosting company and let them know you could be under attack. If you can still gain access to the website, remove any inactive users, and change the password of admins/editors to something very strong. Check some of your most vulnerable pages with links and ensure nothing has been altered. Lastly, clear the site cache with your hosting provider to make sure any sessions have been reset. Brute force attacks can sometimes last for minutes or even days. It all depends on how much time and resources the hacker wants to spend trying to break through your login page.
What Happens If an Attack is Successful?
If an attack is successful, you might not immediately see repercussions. In fact, it could be weeks or months before the hacker takes action. This is why it’s important to routinely change passwords, and remove users that are unknown. Depending on the size and function of your website, the consequences could be severe. The hacker can install malicious software, steal data from your users, and change important links to redirect traffic to fake websites.
Let’s say you run an NFT project and you have a mint planned the following month. The hacker could wait until the mint begins to make their move. Your project might not lose any of its NFTs, but the wallets of holders would be compromised by signing a faulty contract, and their ETH and NFTs may get stolen.
How can I adequately protect my web3 website and holders from attacks?
There are some simple steps to protect your website right now, and make it nearly impossible for hackers to break into your web3 website.
- Review all of the users that have access to your website. Make sure they belong there, but more importantly, make sure they are using strong passwords with at least 16 characters. Set a routine to do this every quarter.
- Download our plugin Limit Login Attempts Reloaded. Upgrade to premium if you notice a drop in performance or want the peace of mind of advanced features such as country blocking and active cloud block lists.
- Update all of your other plugins. Remove any of them that are not being used or you’re not sure of their functionality.
We hope you found this article helpful. If you have any questions about Limit Login Attempts Reloaded or general info about brute force attacks, please check out our help section.