Array / 8 min read

WordPress brute force attacks: how to protect your site from them?

WordPress brute force attacks are one of the most common security threats website owners, and admins have to be aware of. Malicious actors such as hackers are constantly on the prowl for new victims, and WordPress sites are a common target, given their popularity.

This article will explore brute force attacks, one of the oldest and most common hacking methods, which has stood the test of time due to their increased effectiveness. We will determine the following:

  • What a brute force attack is.
  • Why hackers perform brute force attacks.
  • Types of brute force attacks.
  • How common brute force attacks are in the WordPress ecosystem.
  • What you can do to reduce the chances of suffering a successful brute force attack.

Let’s get into it.

What are brute force attacks?

Code screen

Brute force attacks, also known as brute force login attempts, are cyberattacks in which the attacker tries every possible combination of characters to crack passwords and other login credentials, encryption keys, or hidden web pages to gain unauthorized access to a site or some other computer system.

It’s one of the oldest and simplest cyberattacks because it relies on simply trying strings of characters until one of them is correct. Despite this, they remain a popular hacking method that website owners and managers need to be aware of.

What do hackers gain from brute force attacks?

There are multiple reasons why hackers may brute force a website. Some of the most common include:

  • Stealing personal data they can sell later.
  • Gaining access to a site to spread malware, deploy SEO spam attacks, set up ads they can profit from, route traffic to their own web domains, or enact a ransomware attack.
  • Taking control of a site for purely malicious purposes
  • Taking out websites entirely.
  • Infecting website visitors with spyware to collect even more data they can later sell.

Types of brute force attacks

Lock over a keyboard

In its simplest form, brute force attacks rely on trial and error to guess the correct login credentials. However, hackers have become more sophisticated over time and developed more complex brute force methods while still using simpler ones when it suits them.

These are the most common types of brute force attacks.

Simple brute force attacks

Brute force attacks in their least complicated way. Hackers try to guess a password by using automated tools and scripts. It involves trying every possible character combination until one is correct, and the hackers gain access to a website’s backend.

This attack works best for weaker, shorter passwords that don’t combine lower and uppercase letters, numbers, and special characters. Simple passwords could take a fraction of a second to crack. In contrast, long and detailed ones could take thousands of years.

But remember that computing power increases over time. Cracking longer passwords by simple brute force will become easier in the coming years and decades due to computers being able to go through more passwords faster. This leads to the need for even stronger passwords as time goes on.

Dictionary attacks

These kinds of brute force attacks rely on a “dictionary,” a set of common words or phrases likely to be successful in cracking login credentials, often combined with numbers. Initially, dictionary attacks used extensive collections of relatively random words. Today hackers often use sets of leaked passwords to build their dictionaries.

When setting their sights on a specific user, hackers may scour their blogs, social media accounts, etc., looking for potential phrases and words to use based on hobbies and other personal details. Another common dictionary attack method is running through possible passwords and substituting letters and numbers for other characters, such as changing “a” to “@.”

Dictionary attacks are time-consuming and less effective than more sophisticated methods.

Reverse brute force attacks.

Reverse brute force attacks, also known as “credential spraying,” use the opposite tactic as other brute force attacks: hackers start with a password and try to find a matching username.

Often, the password comes from a network breach from a specific entity, such as a bank or private company. Armed with leaked passwords, hackers go through thousands or millions of usernames or account numbers (often coming from also leaked databases) until they find one that matches a password, gaining access to the system.

Hybrid brute force attacks

It is the combination of two types of brute force attacks. Often, it’s a dictionary attack combined with a simple brute force attack.

Many passwords consist of a common word followed by a series of numbers, often four. Starting from a dictionary of potential terms, the attacker combines them with common or significant numbers (such as the birth year of the target).

Sometimes, attackers will also substitute letters in the word for numbers and special characters, like turning “password1234” into “pa$$w0rd1234”. This method is generally more effective than a dictionary or brute force attack on its own.

Credential stuffing or credential reuse attacks

These are brute force attacks where hackers use known, leaked passwords from past hacks on various platforms (Gmail, Facebook, Twitter, etc.), hoping that the victim has reused passwords for at least some of them.

This attack relies on users who lack awareness of security measures and use the same password for multiple accounts. Credential stuffing is one of the most common ways WordPress sites are breached.

How common are brute force attacks against WordPress sites?

Hooded man using a computer

Brute force attacks are a common tactic to break into WordPress websites and any CMS in general. Credential stuffing or reuse, in particular, is becoming a more prevalent risk.

According to Wordfence’s “2022 State of WordPress Security” report, credential reuse is becoming a more significant risk as hackers accumulate more leaked passwords yearly. This leads to a growing backlog of potentially reusable credentials. Unmaintained WordPress accounts are especially vulnerable to this kind of attack.

Remember that it goes deeper than your admin credentials when logging into the website’s backend dashboard. Suppose you have cPanel or phpMyAdmin accounts that share passwords with your admin login username. In that case, hackers may find a way to access your entire backend through credential reuse.

Using unique, strong passwords for each account is one of the best ways to protect your WordPress site from credential reuse.

How to prevent brute force attacks in WordPress?

Security Section of WordPress

Now let’s explore the methods you can use to protect your WordPress site from brute force attacks.

Use strong passwords

To no one’s surprise, having strong passwords is one of the most important measures you can take to reduce the risk of suffering successful brute-force attacks. The more complex your password is, the harder it’ll be to crack.

Some of the measures you can take to maintain stronger passwords across accounts include the following:

  • Use long (12-20 characters) complex passwords that combine upper and lowercase letters, numbers, and special characters, such as “*” and “/.”
  • Create rules for the words used in passwords. For example, you can demand that words be truncated halfway or that vowels are removed (“honey” turns into “hny”) to avoid using predictable letter combinations.
  • Avoid common, everyday words and predictable patterns, such as a common word followed by four numbers.
  • Don’t use “a” or “1” as the password’s first character.
  • Use unique passwords for all accounts associated with your WordPress site.
  • Consider using a password manager to keep up with all these complex, unique passwords.
  • Check whether your accounts have been breached with websites like Have I Been Pwned?

For additional context, you can use websites like Password Monster to test how hard to crack a password is. Let’s try out increasingly complex passwords and see how the time to crack them increases exponentially.

  • password: cracked in less than 1 second.
  • password1234: cracked in less than 1 second.
  • password_1234: cracked in less than 1 second.
  • PassWord__1234: cracked in 66 seconds.
  • P4$sW0Rd598T8: cracked in 9 hours.
  • P4$sW0Rd_/*12&9!: cracked in 14 thousand years.
  • >zF+r85l?=459: cracked in 353 million years.

Ultimately, all passwords are crackable with enough time and computing power. Still, you can make the cracking process take longer if you use strong, unique passwords across accounts.

Established a limit for failed login attempts

By default, WordPress allows infinite failed login attempts. A hacker can keep trying to crack your passwords until they succeed. Explore plugins that temporarily prevent IP addresses from trying to access your admin dashboard if they fail a certain number of times in a row (like 3, 5, or 10 times).

The limited attempts and waiting time will reduce the chances of a successful brute-force attack.

Add multiple-factor authentication (MFA)

A multiple-factor authentication is a form of access control that allows access only after the user has provided two or more different proofs of identity. The first proof of identity is the password/username combination.

The second proof varies. It can be a second password that changes periodically, a verification code sent to your email address or any other verification form.

Use CAPTCHA tests

Captchas are visual or arithmetic challenges that are easy for humans to solve but very hard for bots like the ones frequently used in automated login brute-force attacks.

Explore plugins that add CAPTCHA tests to your admin login page.

Impart cybersecurity awareness among your team members

Suppose your website has multiple users logging in daily. In that case, it’d be beneficial to educate every team member about the widespread risks of brute force attacks and other common security threats in the WordPress ecosystem.

Create, buy, or find a cybersecurity awareness course that provides real-life examples for your team members to know what security risks look like in the wild.


Brute force attacks are one of the oldest and most effective hacking methods to crack WordPress sites. In their simplest form (trying random character combinations), they’re not particularly effective against strong passwords.

But as techniques advance and hackers accumulate leaked passwords from past security breaches, they’ve become a more widespread security risk, forcing WordPress site owners to take action.

To minimize the chances of a breach from a brute force attack, the best measure you can take is to use strong and unique passwords across all accounts associated with your WordPress site.