How to Protect Your Website From Brute Force Attacks

Brute Force Attacks are the simplest method hackers use to gain access to a website. These Internet “bullies” try different usernames and passwords repeatedly–even using specially made “bots” that generate random sequences of characters, until they get in. Their easiest targets? Those who use simple passwords like ‘123456’ and usernames like “admin”.

brute_force_attackDue to the nature of these attacks, you may find the number of http requests (the number of times someone visits your site) is so high your host server’s memory goes through the roof, causing your website to slow down. In some cases, like a website we had to rescue and restore recently, your website may disappear altogether.

A strong password protects not only your website, but the entire server on which it is hosted. A hacker who gains access to your website can and in all likelihood, will, install malicious scripts that can compromise the entire server, and every other website hosted on it.

How to Protect Yourself

A common attack point for hackers on CMS (Content Management System) websites, such as those built in WordPress, Joomla or Drupal, is to hammer away at the CMS login file repeatedly until they get in, or the host server literally dies.

Here are some things you can do (and NOT do) to protect yourself:

Don’t Use “admin” for a Username

“Admin” was, at one time, the default username for WordPress. If you are using this username, or any user name that is simple, make yourself a new account, transfer all your posts to that new account, and delete the old “Admin” account.

Do Use Strong Passwords

The goal of any password is to make it hard for others to guess it and, in the case of your CMS website, for a Brute Force Attack to succeed. WordPress has a password strength meter that tells you if a password’s strength is adequate. If it “tells” you that a new password you are making is weak or medium, change it to something stronger. There are a number of automatic password generators, such as Strong Password Generator, you can use to create secure passwords.

Don’t Use Usernames That Are:

  • Your own name, company name, website name or any variation of these.
  • A word from a dictionary, in any language.
  • A short password.
  • Numbers or letters only.

What Else Can You Do?

Make sure all your plugins and installed themes are up-to-date. Or, if you have a Joomla or Drupal sites, make sure its modules and components are up-to-date. Also make sure you are running the most current versions of WordPress, Joomla or Drupal. And keep both the website files and database backed up, in the event you ever have to restore it!

If you have a WordPress website, there are plugins that can be added to it that would limit the number of login attempts made, or block people from accessing the dashboard (AKA backend), entirely. One plugin we have been testing that does both, is WordFence. After testing it on a few websites, including our own, the Brute Force Attacks have all but disappeared. On one website we had to restore recently because of a Brute Force Attack on the host server, we installed the pro ($39/year) version of WordFence, which also allows for country blocking. Within two days of the plugin installation and configuration, the Brute Force Attacks on the website went from 10 or more per day, to zero.

If you are concerned that your website or server may be compromised by one of these Internet bullies, or if you just want to “bully-proof” yourself against a Brute Force Attack, contact us today and let’s talk.


About smellycat


  1. Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

    • smellycat

      Thanks for your insightful comment. Yes–stopping brute force attacks on CMS sites can be as simple as adding a security plugin and changing the CMS login URL.

Leave a Reply

three × 4 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.