What is brute-force attack and how to protect your WordPress

The term Brute Force or Brute Force Attack has gradually become familiar if you use WordPress because this form of attack always targets popular open-source codes. So what exactly is this attack method? What is its impact? And how to prevent Brute Force Attack? Let me answer your questions in the shortest way.


What is Brute Force Attack?

Imagine a hacker holding a huge list of commonly used usernames and passwords. They then continuously send login queries to your wp-login.php file and if any account is wrong, it will ignore it and try another account. Just like that, then "mix" the password until you can log in. It's a brute force attack.

You can understand this method as a way to detect the password and account of the top administrator.


When is vulnerable to a brute force attack?

This form of attack is easy to prevent, but it is easy to get caught if you are subjective in setting your password and username. Usually, you are vulnerable to this type of attack when:

  1. Set username as admin, administrator, or similar.
  2. Passwords are not secure, easy to guess, commonly used.
  3. Do not secure the login path.
  4. Don't change your password often.

Thus, problems related to login account security will help hackers use brute force attacks to attack.


How to fight Brute Force Attack?

To prevent brute force attack, you need to follow the following checklist:

  • The username is hard to guess.
  • The password is long, strong, have special characters, and does not involve personal information.
  • Limit the number of false login attempts
  • Secure login path.
  • Regularly change passwords.

Then if you need to prevent brute force attack, I recommend you to combine the following plugins:

  • Better WP Security – Has the feature to hide the login path and limit the number of false login attempts.
  • Login Security Solution – Mandatory use of strong passwords, periodic password changes, and limit the number of login attempts.
  • BruteProtect – Blocks bad IPs or brute force queries in their own data.
  • Limit Login Attempts – simply limit the number of false logins.

Or if you want to be more secure, use the KeyCaptcha plugin to generate a test code by stacking images, so your web will not have to deal with queries anymore.



Although the form of Brute Force Attack is easy to prevent and limit, it is a very popular form today, especially targeting WordPress users because it has a market share of more than 19% of the total number of websites on the Internet. world, while other open-source such as Joomla, Drupal only have 3 to 4%.

Make sure your website is protected against Brute Force Attack to limit the possibility of your admin account being stolen.