Preventing a Brute Force Attack

Preventing a Brute Force Attack
datum-geschreven 23 Dec 2023

How do you block a Brute Force attack?

You can block a Brute Force attack by using a security plugin that imposes a temporary or permanent block on the computer from which the attack originates after 5-10 failed login attempts. This block is based on the IP address. Initially, the block is temporary, but if the Brute Force attack continues, it may become a permanent ban.

Hiding the username

The security plugin we use immediately ensures that your username is not visible everywhere. This is a critical point as the username is the first key to a Brute Force attack.

Usernames are easier to determine than you might expect. For example, many users still use “Admin” as the username or have a username that is the same as the website’s name.

Hopefully, you don’t recognize yourself in these common mistakes. But even if you have a username that is as long as the dictionary, the usernames can be easily retrieved from the database, the author page, or the name above blog posts. There is even hacker software that can reveal usernames.

Think of it like the nameplate on your house – easy to read, but make sure they don’t get their hands on the password (the key)!

Hiding the login page

It’s important to prevent a Brute Force script from easily accessing your login page.

By default, every WordPress login page can be reached at:


This is well-known information.

The Ithemes Security PRO NL plugin allows you to choose a new unique address. For example:

vulnerability in WordPress

What does WordPress do against Brute Force attacks?

As Brute Force attacks are common, WordPress decided in 2015 that passwords should meet certain requirements:

  1. They must be at least 8-10 characters long
  2. They should include numbers, uppercase letters, and special characters
  3. They cannot be the username or website name

In a Brute Force attack, each character or digit that makes the password longer exponentially increases the difficulty of cracking the password.

When are you most likely to face a Brute Force attack?

The only good news so far is that the better your website performs in search engines like Google, the more bots will find your website.

It means that your website is well-visible and being visited by users!

Prevention is better than waiting..

Brute Force attacks will always exist, so prevention is better than cure. If you act too late, your website may be filled with backdoors, leading to potential damage. Google doesn’t appreciate spammy websites and can even inform visitors with a red warning that your website is unsafe!

De meeste artikelen worden geschreven door Mathieu Scholtes, de eigenaar van WPBeveiligen. Op de hoogte blijven van het laatste WordPress nieuws? WordPress tips? WordPress aanbiedingen?
Connect dan op Linked-in!

Heb je een vraag? Tip of gedachte? Deel die!

Breng me op de hoogte
0 Reacties
Inline Feedbacks
Bekijk alle reacties