What Is A Brute Force Attack?

by Gregory Preen
updated on June 26, 2022

If you have had looked into website security or had a website for a while you may have heard, or even been the victim of a brute force attack. Simply put, a brute force attack is when either a human, or more commonly a bot attempts to gain access to the WordPress admin area by guessing your username and password. Usually they will occur when they already know (or think they know) the username, they will then repeatedly attempt to login to the users account through the wp-login.php page by guessing the password.

Why Should I Worry About This?

There are two main reasons you should worry about this, firstly the obvious one, if they guess your password and gain access to your site’s admin area they can do all sorts of things and you can end up having a site full of malware and viruses which can not only be extremely difficult to resolve, but will also affect your business while the problem is being dealt with.

The secondly problem is a bit more technical, but basically by making repeated requests to login to your website means that your server can take a bit of a hammering, and depending on the size of the attack can potentially take your site down completely!

What You Can Do

If you are worried about a brute force attack happening on your website there are a few things you can do.

The easiest thing you can do is make sure your username and password cannot be easily guessed. Avoid the default admin username and try to use something that is not too obvious, and also change your password so it is secure and includes upper and lower case letters as well as special characters.
Change the default login page from wp-login.php to something else. This will give another layer of security against the attack as in addition to guessing your username and password they also need to guess your login url. A simple plugin that you can install to do this is WPS Hide Login
Limit access to the login page to specific IP addresses. This works well if you are the only user and primarily login to your website from one or two locations where the IP address is fixed.
Password protect your login page also adds another layer of security.

The options you implement will depend on how your site is used, for example limiting the login page to specific IP address can work well if you are the only one who logs in to the site, but will not be a good option if you have various team members or subscribers who need will be logging in. WordPress have gone into more detail about points three and four which you can read about here, but to implement either the IP address restriction or the password protection you will need some technical knowledge and should not be done if you are unsure what you are doing or you may cause damage to your website.

The Best Solution

Although the solutions above are going to help prevent the bruce force attack from succeeding they still don’t prevent unwanted usage of CPU and memory on your server. There is, however, another option that would alleviate this problem and that is CloudFlare. By routing your website through CloudFlare it means that brute force attacks can potentially be stopped before they even reach your server. This article goes into the specifics of how you can prevent a brute force attack on your WordPress website using CloudFlare’s page rules, but again you will need some technical knowledge to do this so you may want to contact a professional to set it up for you.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5CHRR6935X	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_96350877_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.

Others

What Is A Brute Force Attack?

Why Should I Worry About This?

What You Can Do

The Best Solution

From The Blog

Should I Have a Sitemap For My Website?

Not sure whether to use categories and tags in WordPress? Here’s the answer…

How to Use the Yoast SEO Plugin to Improve Your On-page SEO