Let’s talk about Brute Force Attacks

If you have a WordPress website at the moment then the chances are that you’ll know what to put after the URL to access the login page, right? (Hint: It starts with “wp” and ends in “admin” or “login”.) Although this makes the access process straightforward for a user, it also makes a brute force hackers job simple – they can find the login form effortlessly.

As well as the login page, another default is usually that the first user created has the username “admin”. If you have this username, you’ve just given away half of your login credentials to a hacker without even trying. Oops.

The only other thing they need to work out now is your password. Of course, some passwords are really difficult to guess, but if they’ve farmed your credentials from the dark web (i.e, someone stole data from another hacked site and they bought it), there’s a chance that your go-to password could be very much known.

On that last point about stolen data – they may also have your main email address, so even if “admin” isn’t your username, they may have the email part of it ready and waiting to go. What a nightmare.

Add in a “bot” (an automated attack machine for website login hacking) and you have the potential for someone to try millions of login credentials every single minute until they find one that works. Once in, they’ll sneak about unknown, installing malicious code, stealing your sites data or deleting your site completely. Great.

This is what’s called a brute force attack.


There are a few different ways to prevent, disrupt or dissuade brute force attacks and the first three steps are all about to preventing the above three steps from happening by fixing those weak points:

Weak Point 1: The Username

If your username is already set to “admin”, you can’t change it. But don’t panic, you can just create a new user with a unique username and set the access level to administrator – sorted.

Weak Point 2: The Password

If you use the same password (or passwords) all over the internet, you’re going to need to start getting more security conscious. I would suggest using a secure password storage app like PassPack to manage your passwords, and make each one unique wherever possible. This will eliminate the risk of farmed credentials being used in brute force attacks in the future.

Weak Point 3: The Login URL

The default login URL can be changed quite easily by installing a plugin which moves it somewhere else. The All in One security plugin I use in the next section has a login page transfer section which moves the wp-admin/login page to a url that you can choose to suit you and your users. Just make sure you keep a note of it somewhere, the last thing you want to do is lock yourself out of your own website!


There are also a huge variety of security plugins which can secure sites, but the one you ultimately go with must be right for you. Personally, I use All in One WP Security & Firewall because it suits what I need it for perfectly. Another option which comes highly recommended is Sucuri. I can’t vouch for it though, as I’ve never used it on a commercial website.

With the All in One plugin I would, as standard, set it up to also protect another three weak points which include:

Weak Point 4: No CAPTCHA

You know those things around the internet where you have to prove you’re not a robot by identifying the traffic lights in the grid of images? Or the maths equation that is harder than you thought it should be? Yep, that’s captcha. It’s an industry standard now to put captcha gates on most forms, this is especially true when you are defending against bot-based brute force attacks. Go captcha up!

Weak Point 5: No Honeypots

It’s an enticing name isn’t it? Who wouldn’t want to dip into the honeypot? Well, similar to how it sounds, a honeypot is essentially a bot trap. Here’s a definition:

“The way honeypots work is that a hidden field is placed somewhere inside a form which only robots will submit. If that field contains a value when the form is submitted then a robot has most likely submitted the form and it is consequently dealt with.”

Pretty neat, right? It gets sneakier…

Weak Point 6: No Login Lockdown

Remember when I said that bots can try millions of login combinations a minute? Not only does this put your site at risk of a winning combination, it also puts a huge amount of strain on your websites hosting resources. This is not good and it can cause a server issue if it happens regularly.

The easy way to stop this happening is to enable a Login Lockdown function that allows a certain number of combination entries then locks the IP address from being able to try again for a set amount of time.

There are cases where you may run a site where different legitimate users login a lot – this can become an issue if they do accidentally try the wrong login combination a few too many times. Where this is the case, you need to ensure you’re available to unlock their access and send them a password reset ASAP to avoid too much inconvenience.


If you resolve the above weak points, you should easily fight off most brute force attacks that come your way. Implement them carefully and, as always, make sure you create a backup of your site before making any changes – you don’t want to break it and have no way of going back!

There’s so much more to WordPress security than protecting against brute force attacks though, so keep your eyes peeled for another security post coming soon!

Leave a Reply

Your email address will not be published.