Skip to main content
brute force attack

What is a brute force attack, and its effective prevention?

Brute force attack – What is your top priority task, if you are a site owner or a blogger.


The security of the site or blog is the highest priority in my view. I think so.

You will too agree with me.  Its security becomes your top most priority if your site or blog is popular.

Hackers can harm your blog or site in many ways. Brute Force Attack is the most common attack one of them.

Today, I am going to tell you about it with detail also discussing ways to prevent it.

What is Brute force attack?

Without informing the owner of an app, site, blog or server, password protected trying to enter the admin area of its app, site, blog or server is called Brute force attack.

It is also called Brute force cracking and password cracking.

For this purpose, hackers use a specific username with many combinations of passwords for login on that app, site, blog or server.

And they keep trying until they become successful in logging in.

There is another associated term with it.

That is called reverse brute force attack.

The term is reflecting its meaning.

This is the reverse process of brute force attack.

The attacker tries to play many usernames along with a password in this method.

What is the main purpose of this attack?

The main purpose of Brute Force Attack is to use a targeted blog, site, app or server illegally.

Hackers can use without touching this hacked site/app/server for any type of work and they won’t leave any clue as well.

They can use the hacked site for another type of attack so that their main attack source could not be detected.

  • To steal valuable information from that site.

  • To shut down the site.

  • An attacker can infect the site with malicious script, to fulfill their long-term objective.

Leave  a newly installed WordPress CMS for almost a month without installing any security plugin, if you want to see Brute Force Attack directly,

To trace the brute force attack, just install a security plugin “Loginizer”.

After a few days, you can trace it by going to your WordPress dashboard. Follow these steps to trace it.

Dashboard >> Loginizer Security >> Brute Force

You will see some reports like this screenshot.

brute force attack report

Now you have known about brute force attack. How can this type of attack be harmful to your site/app/server? You have come to know.

Now, we should know some ways to stop this.

You can take some precautions before attacking. Let’s know about some tips to avoid this.

1. Keep your password longer.

The length of the password means number of characters in that password.

Hackers will take more time to crack it if there are more characters in the password.  

You probably did not understand this thing. Try to understand it with an example.

Suppose you have a password for two numbers. These two numbers can be anything between 0-9.

The number is made of two digits from 0-9.  

Total two digits possible unique Number are 10^2 = 100 unique numbers.

On increasing the digit.

10^3 = 1000

10^4 = 10000

With this, if we add alphabet. We have a total of 26 alphabet. Total 52 alphabet composed of capital letters and small letters. When we add 10 numbers, now we have a total of 52 + 10 = 62 characters.

You must have understood now.

If we add the special character along with it, then it is impossible for an ordinary person to assess its numbers.

2. Make the password complicated.

Follow these steps to make the password complicated.

Do not use any of the words in the password, is easily found in a dictionary

  • Do not enter password admin, someone’s name, someone’s date of birth, phone or mobile no, blog or site name and frequently spoken words.

  • Never enter this type of pattern “Your name#123456” in the password.

  • Always include alphabet, number and special characters in the password.

  • Any word in the password should not be meaningful. Like – door * 1234 etc.

  • Always use the number and special character between the characters. Eg – d (14oo% 98r * 1234 etc.)

  • Use the small letter along with Capital in the middle.

3. Activate Two-factor authentication.

Have you ever done online transactions with your debit/credit card? If yes, you might have known about two-factor authentication.

In this transaction process, we authenticate the bank twice.

  • By entering your card number and PIN number for the first time.

  • Second time by putting an OTP / TOTP.

This adds an extra layer of security to it. Suppose for any reason your debit/credit card number and PIN number got leaked.

Hackers try to make a transaction with that card. For the first time, he also authenticates the bank.

But for a second authentication, it comes to an OTP / TOTP on your mobile number.

The hackers fail at the second authentication because they don’t have access to your mobile number if you keep it yourself.

You can also apply this trick to our site, blog, app or server. This will add an extra layer to its security.

You can use one of these plugins for WordPress.

4. Use reCaptcha

Today’s almost every site uses Invisible reCaptcha to protect from bots.

This application differentiates humans and bots in particular. And it prevents the software to execute being used in brute force attack.

Amount of characters in the password increase number of possible passwords as I mentioned above.  

Here, brute force attack software is used for attacking.

Captcha prevents the brute force attack software from running.

You can use the free Google reCaptcha service for this.

First of all, register your site/blog on google reCaptcha, then install the plugin.

And in the plugin, enter the code for activating google reCaptcha.

5. Limit Login attempts.

It means straightforward. If someone is trying to login to your site/blog and he has failed many times. In such a case, the IP address of that person should be blocked for some time.

He should be permanently blocked if he repeatedly makes this mistake  

Because a genuine admin cannot be blocked multiple times because it owns login credentials.

This can only be done by brute force attacker.

You can use the Loginizer plugin for this. It’s a free plugin.

6. Change Login URL.

It is possible to hide login URL from attackers.

Here, they would neither access login form nor show their talent if the attackers unable to know the path of a login page.

For this, you have to change the default URL of www.yourdomain.com/wp-admin on a login page.

The new URL may be like this. www.yourdomain.com/htl158

The new URL should only be known by the admin.

This method greatly reduces the brute force attack.

You can use WPS Hide login WordPress plugin for this. It is free and safe.

7. Use CDN.

Content Delivery Network has many benefits. I’m going to tell about some benefits below.

  • This increases the page loading speed of your site.
  • It does not give the freedom to use images on your site.
  • This creates an additional protective shield layer for your site /blog against brute force attack.
  • It blocks the attacker’s IP address forever.

Similarly, this resource will help you to keep your blog spam free. Do read it.

Final words: –

Nowadays, a brute force attack is a common attack. We can’t stop it but by following the tips mentioned above we can save our blog/ site from attack.

You must try these tips on your blog/site. If you know any other tips besides this, then please tell me in the comments. I would like to include it in this article.

If you find this post informative, then share it with your friends and blogger brothers.

A good article always has a great impact.

Founder , WebtechThoughts

Barun Chandra is technology enthusiast and a blogger. He is fond of technology in depth and writes posts in simple words to make understand easy.

Get Free Email Updates!

Signup now and receive an email once I publish new content.

I agree to have my personal information transfered to MailChimp ( more information )

I will never give away, trade or sell your email address. You can unsubscribe at any time.

Leave a Reply

Your email address will not be published. Required fields are marked *