What is a Brute Force Attack & How to Prevent It

Unlike many other tactics used by bad actors, brute force attacks don’t rely on vulnerabilities within websites. Instead, these attacks rely on users having weak or guessable credentials to extract them. The simplicity involved and amount of targets make brute force attacks very popular.

What is a Brute Force Attack?

Brute force attacks occur when a bad actor attempts a large amount of combinations on a target. These attacks frequently involve multiple attempts on account passwords with the hopes that one of them will be valid. It’s a bit like trying all of the possible combinations on a padlock, but on a much larger scale.

Passwords are not the only resource that can be brute forced: Links and directories, usernames, and emails are other common targets.

Stop Brute Force Attacks

What is the Purpose of Brute Force Attacks?

The objective of a brute force attack is to gain access to a resource otherwise restricted to other users. This can be an administrative account, password-protected page, or simply to enumerate valid emails on a given website.

Gaining access to a valid account can mean compromising the entire site, which bad actors can then use as part of their network of compromised websites.

How Does a Brute Force Attack Work?

The most common type of brute force attack is a dictionary attack and involves a list of credentials, typically by using common usernames and passwords to gain access to administrative accounts.

Usually generic dictionary attacks will try to login with the most commonly used credentials, such as “admin” and “123456.”

What Does a Brute Force Attack Look Like?

Common sense is important in identifying brute force attempts. Basically, if it appears someone is repeatedly and unsuccessfully trying to log in to an account, it’s likely an attempted brute force attack.

Signs can include:

The same IP address unsuccessfully trying to log in multiple times.

Many different IP addresses unsuccessfully trying to log in to a single account.

Multiple unsuccessful login attempts from various IP addresses in a short time period.

Brute Force Attack Examples

We’ve seen how brute force attacks could add you to a botnet to include you in DDoS attacks. Other examples include how attackers brute force its credentials to deface a website.

Gaining access to an administrative account on a website is the same as exploiting a severe vulnerability. Hackers will attempt to profit from their access, such as by adding spam, distributing malware, or phishing unsuspecting victims.

Types of Brute Force Attacks

At its core, brute force is the act of trying many possible combinations, but there are many variants of this attack to increase its success rate. Here are the most common:

1Simple Brute Force Attack

A generic brute force attack can use different methods, such as iterating through all possible passwords one at the time. This is commonly used on local files, where there are no limits to the number of attempts you have, as other attacks are commonly more successful at scale.

2Dictionary Attack

This attack uses a list of words and common passwords instead of going in randomly, building a “dictionary” of possible passwords and iterating through them. Using a good password list can help to improve the attackers success rates, but these attacks often require a large number of attempts against possible targets.

3Hybrid Brute Force Attack

A hybrid attack uses both the dictionary attack and a regular iterative pattern. Instead of trying literally all passwords, it will perform small modifications to words in a dictionary, such as adding numbers or changing the case of letters.

4Credential Stuffing

With a growing amount of data breaches, password reuse is an easy way to compromise specific accounts reusing passwords.

Credential stuffing attacks have a low rate of success and primarily rely on lists of usernames and passwords commonly found from data breaches. Hackers use these lists to attempt to log in with these stolen credentials, stressing the importance of updating your username and password if your data has been involved in a breach.

How to Prevent Brute Force Attacks

As brute force attacks are not a vulnerability per se, keeping the software up to date is not enough to protect yourself. Here are few common methods to prevent these attacks:

1Use Strong Passwords

Brute force relies on weak passwords. A strong password contains the following traits:

Unique: You should avoid reusing passwords, as websites get compromised and passwords will get cracked. By reusing passwords, attackers can more easily target you using your compromised credentials on other websites.

Long: Longer passwords mean more possible combinations before reaching it. Five-character passwords are easy to crack on pretty much any computer in a few seconds, 10 characters would take a few years, and 20 characters would take nearly forever.

Hard to guess: Snippets of information like your own name or the city where you live might make a password easier to remember, but it’s also easier to guess if someone gains any information about you. The same goes for common text, such as “12345” or “password,” which are commonly used in credentials, since they are easy to remember.

With these characteristics applied, brute force attempts will not be successful in guessing your password, and therefore you should be safe against them.

The same principles apply to recovery questions: If your recovery questions are weak, but your password is strong, it is easy for attackers to reset your password instead of guessing it.

2Restrict Access to Authentication URLs

A requirement for brute force attacks is to send credentials. If you change the login page URL — for example, moving from /wp-login.php to /mysite-login — this can be enough to stop most automated and bulk tools.

Unfortunately, this suggestion won’t work on advanced attacks if the link is guessable or if it’s visible on the page, but it’s an easy way to prevent automated attacks.

3Limit Login Attempts

Brute force attacks rely on attempting multiple passwords and accounts. By restricting login attempts to a small amount per user, attackers won’t be able to try more than a few passwords.

A common way to restrict login attempts is to temporarily ban an IP from logging in after five failed login attempts, where subsequent attempts at a login will be blocked.


Captchas are a good way of preventing bots and automated tools from doing actions on your website by giving them challenges before they even can attempt a login. As the challenge is designed to be solved by humans, robots have a hard time passing them which blocks their attacks.

5Use Two-Factor Authentication (2FA)

2FA adds another layer of security to your login form. Once you login with appropriate credentials, you will need to enter a code which can only be accessed by you, such as an email or a unique code generated by an authentication tool.

This additional layer prevents anyone who has successfully obtained your credentials from accessing your account without a secondary piece of authentication.

Closing Thoughts on Brute Force Attacks

With all the advanced methods involved in today’s online scams, it’s almost surprising to learn that one of the most common and successful has a distinctly human element to it. Avoiding brute force attacks can simply be a matter of changing your online habits, like using stronger passwords and not reusing them, or updating easy-to-guess URLs.

You might also make a little extra effort toward security by setting up two-factor authentication or putting your website behind a web application firewall (WAF). A firewall essentially stops bad actors dead in their tracks.

Additional Resources


Learn how to identify issues if you suspect your WordPress site has been hacked.

Watch Now

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Sign Up


Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.

Read Now


Learn security best practices for WordPress websites to improve website posture and reduce the risk of a compromise.

See Now