With These 7 measures Brute Force attacks come to nothing

8 Min.
With at least 4 billion individual attacks this year, Brute Forceattacks are probably the greatest threat to WordPress  sites .
Last updated on

Last updated on 17.06.2020 Almost everyone knows how to remove the login barrier to the admin area.

In April 2017 alone, the security provider Wordfence more than a billion Brute Force attacks at WordPress sites counted worldwide. And this is only an approximate value - the number of unreported cases is significantly higher. Attacks that attempt to automatically guess passwords and user names thus pose a great danger to WordPress sites worldwide. But not only that. Because about 37.5 percent of the 10 million largest websites currently run under WordPress . And that means that the question of effective protection mechanisms for WordPress also affects the Internet as a whole.

If you want to know exactly how Brute Forceattacks work and how dangerous they are, take a look at our Background article on Brute Force attacks .

Despite their large number, there is one good news: There are useful security measures against Brute Force attacks that you can implement yourself without much effort and above all without any programming knowledge. And there are measures that at least require a basic knowledge of how to handle the .htaccess file.

These are the seven measures we are discussing today:

  1. Strong passwords (very important!)
  2. Do not use "admin" as username
  3. Limit number of invalid logins
  4. Two-Factor Authentication
  5. Multi-level login
  6. Blacklisting
  7. Hide login area (is controversial)

1. use a strong password

A strong password is extremely important as protection against Brute Force attacks. Bots and botnets use huge password databases for their "guessing games". These are bluntly tested. The more unusual and difficult your password is, the more likely it is that it will not appear in them.

The longer and more difficult your password is, the longer it will take bots to crack it if they also try to guess the password without a list.

Your password should therefore contain various character combinations from the ...

  • 10 different numbers (0 to 9)
  • 52 different letters (A to Z and a to z)
  • 32 different special characters ...

... and be at least 8 characters long.

The Password Manager Password Depot provides some clear examples of this Sample calculations ready. It is assumed here that a strong single computer can generate two billion passwords per second. Specifically:

  • A password of 5 characters (3 lower case letters, 2 numbers) has 60 466 176 possible combinations and can be cracked in 0.03 seconds.
  • A password with 8 characters (4 lower case letters, 2 special characters, 2 numbers) already has 457 163 239 653 376 possible combinations. Here the computer needs about two and a half days.
  • And a password of 12 characters (3 uppercase letters, 4 lowercase letters, 3 special characters, 2 numbers) has no less than 475 920 314 814 253 376 475 136 possible combinations. It takes 7.5 million years for a single computer to crack this password.

At WordPress -Codex for the creation of such passwords the Plugin Force Strong Passwords recommended. This forces users to choose complex passwords. This does not make Pluginthem sites directly more secure, but it educates users to use strong passwords. And especially if you are working for a customer, this little help can be very practical.

You don't have to remember the passwords!

Password managers help you create and manage strong passwords. All you need to remember is a master password (of course also as complex as possible). The program will do the rest for you. Apple computers already have a corresponding application called "Keychain Management" installed. Cloud-based password management programs such as 1Password, LastPass or KeyPass work in the same way.

So you do not have to remember all your passwords. Especially if you site maintain more than one and use a variety of services, professional password management is a blessing.


2. do not use the username "admin"

As already mentioned: Brute ForceAttacks are basically attempts at guessing. So you should make it as difficult as possible for hackers to guess your username. Therefore do not use the one from WordPress default username "admin" - and therefore do not use the one the system has preset for you. Because this username is also valid for all other WordPress -user by default.

3. lock' the loginsite after too many failed attempts

Brute Force attacks test thousands and thousands of combinations of user names and passwords. Conversely, this means that you generate thousands and thousands of login attempts to limit.

So your server can definitely tell that something is going on. With a corresponding Plugin you can specify that access is blocked after a certain number of failed attempts, so hackers have to put their attack on hold. You can activate this protection, for example, via a Plugin like WP Limit Login Attempts , Limit Login Attempts Reloaded implement.

Each WordPress installation RAIDBOXES has the function to limit login attempts, integrated as standard. If a person or a bot tries to log into yours site too often with the wrong credentials, we first block the IP in question for 20 minutes. If the login attempts continue with wrong data, the IP will even be blocked for 24 hours. Of course, you can also define the number of attempts and the period of time for which the IP is blocked.

Limit Login Attempts and Co. have an expiration date

However, there is one important thing to understand about thisPlugins: the limitation of login attempts of an IP address has a serious weakness. It cannot anticipate the change of an IP address. This means that attacks with botnets, for example, can only be fended off with a fair amount of effort or not at all. Moreover, with the new generation of IP addresses (the IPv6 addresses), a single attacker can change his IP address in a fraction of a second. This fact increases the danger posed by botnet attacks.

And: A large number of the Brute Force attacks should not be mere guessing games. As the calculation in the section on secure passwords shows, even a botnet with a million devices cannot guess secure passwords. That is why many hackers work with password lists. This reduces the number of login attempts to the possible combinations of the respective password library.

Although the limitation of login attempts per IP still makes sense, the importance of this security mechanism will rapidly decrease in the future. The only truly secure protection mechanism against attacks with changing IPs is two-factor authentication.

4. two-factor authentication

The idea behind the concept of two-factor authentication is to require a second confirmation in addition to the password when logging in. This is usually another alphanumeric code. What is special about this is that it is transmitted outside the actual registration procedure - for example, via a code generator or a mobile phone. And only the owner of this device is finally able to log in.

With the Google App Google Authenticator and a corresponding Pluginone, advanced authentication can be WordPress implemented relatively easily. Frequently used are for example the Plugins Google Authenticator by Hendrik Schack or Google Authenticator from miniOrange.

For added security protection, download the Google app to your phone and install it Pluginin WordPress . Here a QR code is generated, which you scan with the app. Alternatively you can create the account manually. Now your WordPress -user account and the app on your phone.

The app now generates a new security code every 30 seconds. Every user for whom two-factor authentication is activated now sees the line "Google Authenticator Code" in addition to "Username" and "Password" in the login area. To log in, they need the smartphone on which the codes are generated. Large security plugins like e.g. Wordfenceoffer partly a similar mechanism.

The process of double authentication may sound complex, but from a security point of view it is a very good protection against Brute Force attacks. Especially in view of the change from IPv4 to IPv6 addresses mentioned above.

Strong passwords, username changes such Pluginsas Limit Login Attempts, and two-factor authentication are all measures you can implement easily, quickly, and without programming knowledge. And above all, the additional authentication and really strong passwords also protect effectively against Brute Forceattacks.

But if you want, you can do more. You can secure your WP admin area with an additional password, create a black or white list, or create your Hide WP admin area. However, all these measures tend not to offer more security, but should rather be seen as options or alternatives.

5. additional password protection

If you use your WordPress site on an Apache server, you have the possibility to login without Pluginintroducing a multilevel login procedure. Because every WordPress -installation on an Apache server contains a so-called .htaccess file. In this file you can add code for an additional HTTP authentication to add password protection to the loginsite . The server already requires a password to let visitors through to the login screen.

# Protect wp-login
AuthUserFile ~/.htpasswd
 AuthName "Private access"
 AuthType Basic
 require user mysecretuser

With this command, a password request is created before the wp-admin area can even be accessed. Here you enter an additional username and password to access the login area at all. However, the data for the additional user must be defined in the .htpasswd. For this purpose, user name and password must be inserted into the file in encrypted form. The WordPress -Codex explains how this process basically works.

Ebook: Measure the performance of your site like a pro

6. blacklisting & whitelisting

Speaking of .htaccess: With this file, you can implement yet another powerful protection A few lines of code make sure that only certain IPs have access to the WordPress dashboard or individual directories.

To do this, you have to add an additional .htaccess with the following code in the appropriate directory - preferably wp-admin:

# Block access to wp-admin.
 order deny,allow
 allow from x.x.x.x
 deny from all

x.x.x.x.x you have to replace with the IPs that should have access to themsite . The example shows a whitelist, i.e. a list of IPs that are allowed to access themsite . So the loginsite is blocked for all other IPs. By the way, the order of the commands - "allow" followed by "deny" - is extremely important because they are executed in order. If "deny from all" comes first, you too will be in front of locked doors.

A blacklist would implement the exact opposite mechanism: It would determine which IPs are not allowed to access themsite . Of course, there are plugin solutions for both. For example, well-known security plug-ins, such as All In One WP Security, Wordfence , Sucurieach with a blacklist or whitelist function. However, it should be noted that these three can of Pluginscourse do much more than just create blacklists or whitelists. You should therefore not install them exclusively for these functions. A popular alternative here would be the Plugin Loginizerwhich currently has more than 500,000 active installations.

7. hide the registration area

Brute Force Attacks attack your loginsite . A very simple way to prevent these attacks is to not let the attackers access your loginsite at all. For this purpose some webmasters hide the login mask. The login area is then only accessible via a secret URL.

This measure follows the (controversial) principle Security through Obscurity and is not in itself a meaningful safety measure. We at RAIDBOXES are not big friends of this principle. Because if you implement the above measures, you have already secured your login area very well and you do not need to move it any further. Nevertheless, this measure can contribute to the feeling of security, which can be particularly important for the perception of your customers.

If you want to hide wp-admin area you can use one of the big security plugins (which, as I said, offer many more features). Or you can try one of these popular Pluginsones:

As said before: In our opinion, hiding the wp-admin is not a sensible measure - at least not to protect your site from Brute Force to protect against attacks. If you have chosen a strong password and implemented a sensible IP exclusion method or two-factor authentication, you have the risk of a successful Brute Force Attack already significantly reduced.


With a current market share of over 32 percent, it is WordPress by far the largest CMS worldwide. This will probably not change in the future. The Probability of becoming the target of a Brute Force attack is therefore, purely mathematically, extremely high. You must be aware of that. Fortunately, it is also very easy to protect yourself from them. Because a few measures, i.e. secure passwords and two-factor authentication, can be implemented in a few moments and completely without programming knowledge.

And you can also Pluginsimplement the supposedly more difficult measures, such as black- or whitelisting, an additional password protection or blocking mechanism for the login area. So if you only pay attention to the first three or four points of this post, you are already well protected against Brute Forceattacks. Of course you can always do more, i.e. create an additional password protection or set up black- or whitelists. But in such cases you should consider whether the additional security mechanisms are really worth it, especially with regard to the administration effort.

Related articles

Comments on this article

Write a comment

Your e-mail address will not be published. Required fields are marked with * .