ZeroToWP

Brute Force Attack

Quick Definition

An automated attack method where bots systematically guess username and password combinations to break into your WordPress login page, often trying thousands of combinations per minute.

What Is a Brute Force Attack?

A brute force attack is a trial-and-error method where an attacker systematically tries every possible combination of usernames and passwords until one works. There is no clever exploit involved — just raw, automated guessing at high speed. A bot might attempt thousands of login combinations per minute against your WordPress site's wp-login.php page, hoping to stumble on valid credentials.

Think of it like someone trying every key on a massive keyring against your front door lock. Given enough time and no countermeasures, they will eventually find the right one.

How Brute Force Attacks Target WordPress

WordPress is the most popular CMS on the web, which makes it the biggest target. Attackers don't even need to know your site exists — they run automated scans across millions of IP addresses looking for WordPress login pages. Here's what a typical attack looks like:

  1. The bot finds your login page — usually at yourdomain.com/wp-login.php or /wp-admin/. These are the same for every WordPress installation, which makes them easy to locate.
  2. It starts guessing — the bot tries common username/password combinations: "admin" + "password123", "admin" + "admin", "admin" + your domain name. These credential lists are compiled from previous data breaches and leaked password databases.
  3. It scales up — modern botnets distribute the attack across thousands of IP addresses. Each IP tries a handful of combinations to stay under rate limits, but collectively they test millions of passwords.

I check Wordfence logs across the sites I manage, and the numbers are staggering. Even small, obscure WordPress sites get hit with hundreds of brute force attempts per week. It's not personal — the bots don't know or care what your site is about. They're casting a wide net.

Types of Brute Force Attacks

  • Simple brute force — tries every possible character combination (aaa, aab, aac…). Effective against short passwords, impractical against long ones.
  • Dictionary attack — uses a list of common passwords and words. Much faster than simple brute force because most people choose predictable passwords.
  • Credential stuffing — uses username/password pairs leaked from other breached services. If you reused a password from a hacked forum, attackers will try it on your WordPress login.
  • Reverse brute force — starts with a known common password (like "password1") and tries it against a large list of usernames. Particularly effective when "admin" is the username.

How to Protect Your WordPress Site

The good news: brute force attacks are one of the easiest threats to defend against. A few straightforward measures make your site virtually immune.

Use Strong, Unique Passwords

This is the single most effective defense. A 16+ character password with mixed case, numbers, and symbols would take a brute force bot billions of years to crack. Use a password manager like 1Password or Bitwarden to generate and store them. Never reuse passwords across sites — credential stuffing works precisely because people reuse passwords.

Enable Two-Factor Authentication (2FA)

Even if an attacker guesses your password, 2FA stops them cold. They'd also need access to your phone or authenticator app. Plugins like Wordfence include 2FA out of the box — it takes 30 seconds to set up and blocks virtually all brute force attacks.

Limit Login Attempts

By default, WordPress allows unlimited login attempts. That's an open invitation for bots. Install a security plugin that locks out IP addresses after a set number of failed attempts. Wordfence and Limit Login Attempts Reloaded both handle this automatically.

Change the Default "admin" Username

If your WordPress username is still "admin", change it today. Create a new administrator account with a unique username, log in with it, and delete the old "admin" account. Every brute force bot tries "admin" first — removing it eliminates half the equation.

Use a Web Application Firewall (WAF)

A WAF like Wordfence or Cloudflare detects brute force patterns and blocks malicious IPs before they even reach your login page. Server-level protection is always better than application-level, because the request gets stopped earlier in the chain.

Signs Your Site Is Under Attack

How do you know if a brute force attack is happening right now? Watch for these signs:

  • Slow site performance — thousands of login requests per minute consume server resources, slowing your site for real visitors.
  • Failed login notifications — if you have a security plugin, check its logs. Hundreds of failed attempts from different IPs is a clear signal.
  • Locked out of your own account — if login protection is enabled, aggressive attacks can sometimes trigger lockouts on legitimate users too.
  • Unusual server resource usage — your hosting control panel may show CPU or memory spikes that don't correlate with real traffic.

The Bottom Line

Brute force attacks are unsophisticated but relentless. They succeed not because they're clever, but because too many WordPress site owners use weak passwords and skip basic security measures. A strong password, two-factor authentication, and a login limiter are all you need to make your site an unattractive target. The bots will move on to easier prey.

Related Terms

FirewallA firewall monitors and filters incoming traffic to your WordPress site, blocking malicious requests like hacking attempts and brute force attacks before they reach your server.MalwareMalware (malicious software) is code designed to damage, steal data from, or gain unauthorized access to your WordPress site. Common types include backdoors, spam injections, redirect hacks, and cryptominers.SSLSSL (Secure Sockets Layer) is the technology that encrypts the connection between your website and its visitors. Today it technically runs on TLS, but everyone still calls the certificate an "SSL certificate."

Related Articles

WordPress Login Security — How to Stop Brute Force AttacksYour WordPress login page gets attacked dozens of times every day, whether you know it or not. I've been hardening login pages for over a decade, and these 8 measures will shut down brute force attacks completely.WordPress Security — The Complete Guide to Protecting Your SiteAfter 20 years of building WordPress sites, I've cleaned up more hacked sites than I care to remember. Most of those hacks were completely preventable. This is everything I know about keeping WordPress secure — no fear-mongering, just practical steps that actually work.Best WordPress Security Plugins in 2026 — 5 Plugins I Actually TrustAfter cleaning up hacked sites, blocking millions of brute force attacks, and testing every major security plugin, these are the 5 WordPress security plugins I genuinely recommend.
← Back to WordPress Glossary