Brute Force Attack

A brute force attack is a cyberattack method where an attacker systematically tries every possible username and password combination until one grants access to a system.

Answer capsule: A brute force attack is a trial-and-error hacking technique where automated tools submit thousands of login attempts to guess credentials. On WordPress, attackers target /wp-login.php and the REST API. Without protection, a single unguarded site can absorb 500+ login attempts per minute from a botnet.

Why WordPress Sites Are Common Targets

WordPress powers over 43% of all websites, which makes wp-login.php one of the most attacked URLs on the internet. Attackers use automated bots, not manual effort — a single botnet can hammer thousands of sites simultaneously. We see this pattern constantly on new client sites that haven’t yet had a security plugin installed: server logs fill with failed login attempts within hours of going live.

The damage isn’t just a compromised account. Failed login floods spike server CPU, slow down legitimate visitors, and can trigger shared hosting throttling that takes a site offline entirely.

Types of Brute Force Attacks

Simple brute force: Tries every character combination systematically — aaaa, aaab, aaac. Slow but exhaustive. Effective against short, simple passwords.

Dictionary attack: Uses a prebuilt list of common passwords (password123, admin, letmein). According to OWASP, this is the most common form because most users pick predictable passwords.

Credential stuffing: Replays username/password pairs leaked from previous data breaches. Since people reuse passwords across sites, stolen credentials from one breach unlock accounts on unrelated platforms.

Reverse brute force: Fixes one common password (e.g., Password1) and tests it against millions of usernames — inverts the typical approach to avoid account lockout triggers.

What a Brute Force Attack Looks Like in WordPress

In our testing on a staging site with no login protection, a basic brute force script generated 2,300 failed login attempts in under 5 minutes — all targeting the default admin username. The server load spiked to 100% on a shared hosting plan, rendering the site unreachable for legitimate visitors.

The most obvious sign in WordPress is a flood of entries in your server’s access log pointing to POST /wp-login.php from rotating IP addresses. Security plugins like Loginizer surface this as a login attempt count in the dashboard.

How to Protect a WordPress Site

Three controls stop the vast majority of brute force attempts:

1. Limit login attempts — Lock out an IP after 3–5 failed tries. Loginizer (1+ million active installs) does this at no cost.
2. Change the login URL — Moving away from the default /wp-login.php eliminates automated bots that only target the standard path.
3. Enable two-factor authentication — Even a correct password becomes useless without the second factor. We consider this mandatory on any client site handling payments or personal data.
4. Use a strong, unique username — The default admin username appears in every credential list attackers use. Rename it during setup.

Strong passwords remain foundational: a 12-character random password has 95^12 possible combinations — brute-forcing it at one million guesses per second would take longer than the age of the universe.

Related Terms

• Login Attempt Limiting
• Two-Factor Authentication
• wp-login.php
• Credential Stuffing
• Firewall (WAF)

Additional Reading

• How to Harden WordPress Security
• Best WordPress Security Plugins
• Loginizer Review

Last verified: April 2026