Brute force attack prevention

If there’s a user login for your website, it can be targeted by brute force password attacks. Bad actors use automated programs to try thousands of login combinations to get in. Our Web Application Firewall (WAF) stops unauthorized brute force login attempts before they happen.

Get Started

What is a brute force attack?

A brute force attack is when a bad actor attempts a large amount of combinations on a target. These attacks frequently involve multiple attempts on account passwords with the hopes that one of them will be valid.

Every website eventually gets targeted by automated bots. Once attackers gain unauthorized access, they can totally destroy your business. Unless you’re protected by our Web Application Firewall (WAF), here’s what can happen after a brute force attack.

Brute Force Attacks Features

Time delay

There’s often a time delay once access is gained, allowing traffic to die down and server logs to disappear, leaving no trace of the attacker. Some hosts only retain up to seven days of logs, and in some instances no more than 24 hours. If attackers wait long enough, they can log in whenever they like and website owners are none the wiser, making incident handling difficult.

Credential stuffing

Image file sizes get large and this is where a CDN can help your site speed. But first, make sure it can actually deliver images. If your site is full of images, it’s a good idea to include the best image CDN in your search.

Rainbow tables

Hackers who steal password databases originally have a list of encrypted passwords. Passwords should never be stored in plain text, but often the same two encryption methods are used (MD5 or SHA1). These algorithms are easily reversed, allowing the attacker to create precomputed rainbow tables that can match the encrypted output with the plain text password.

Dictionary & hybrid attacks

A basic brute force attack attempts to guess every possible combination of characters until access is granted. This method works quickly if the password is short, but can be exhausting with longer passwords. A dictionary attack use guesses using entire words, while a hybrid attack uses a combination of basic and dictionary attack techniques.

Password-cracking tools

A large selection of password-cracking tools can help attackers trying to break into your website. The tools have various modes to make the attack cover as much ground as possible. With computers able to guess passwords at hundreds of millions per second, so-called strong passwords are often crackable in under an hour of repeated attempts.


Most often, brute-force attacks are not targeted. But when they are, it’s even more dangerous. Attackers can use information about website administrators and users through phishing lures, online profiles, and previous password dumps associated with the user email address. From there, crackers can make custom rule-based attacks that leave you completely exposed.

How our WAF prevents brute force attacks

Our Web Application Firewall (WAF) detects fake browsers and bad bots, and then blocks them automatically. A strong correlation engine shuts down brute force attempts without affecting your good users. Here’s a look under the hood of our WAF.

How the Sucuri firewall protects your site from brute force attacks

Signature detection

We employ a solution that uses heuristic and signature-based techniques. Incoming traffic is sanitized before reaching your website. If there are patterns matching a brute-force attack we block it before it ever reaches your website.

Bot & scan blocking

When our WAF detects a specific bot trying to attack your site using a brute force technique, it is blocked automatically. Similarly, the use of automated tools to scan your website are also blocked, helping to keep your website off attackers’ radar.

2FA, CAPTCHA, or passcodes

Add another layer of protection by enabling the Protected Page option. Specify the page you want to protect, and choose to enable two-factor authentication with Google Authenticator, use a CAPTCHA to stop bots, or add an extra static passcode.

Limit login attempts

Attackers know overusing a login form will draw suspicion through obvious patterns in server logs, built-in limitations, and alerts. A target can be pursued over months and even years with a limited number of requests at one time.


Allowlisting makes certain that only authorized users can log in to your website. When adding your site to our firewall, we will give you the option of blocking access to specific pages. Only people with allowlisted IPs will be able to log in.

Country/geo blocking

Most brute-force attack attempts come from a handful of countries. If you aren’t doing business there, you can completely block all visitors from those IP ranges. We even have an option allowing you to block the top three attack countries by default.

Stop all brute force attacks

Using a combination of detection and allowlisting, the Sucuri Web Application Firewall (WAF) stops brute force attempts in their tracks. Rely on our WAF to protect any website against a number of different password cracking tools and brute force methods.

Prevent brute force attacks with the Sucuri WAF

Start Free Trial

Why Choose Sucuri?

What makes Sucuri the best WAF for small businesses and developers?

Safer and Faster Websites

Sucuri is a website security company which also offers a CDN as part of its protection platform. Sucuri’s CDN provides leading-edge performance and features at a price that makes it affordable for all types of individuals and organizations.

Easy Set Up

It’s also backed by best-in-class research as well as free technical support from a team of experienced pros. Getting started is easy. You can test the Sucuri website firewall free for one month to see how improves the security and speed of your website.

Our solutions address today’s security incidents and protects your website against brute force attacks.

Custom Solutions & Partnerships

Website security for large organizations, web professionals, and partners.

Get in touch to find your own custom solution.

*required sections