What is a Brute Force Attack? How Hackers Target WordPress Logins

Understanding Brute Force Attacks

A brute force attack is one of the oldest and most straightforward hacking techniques—and it remains devastatingly effective against WordPress sites. The concept is simple: attackers systematically try every possible password combination until they find the right one. With automated tools capable of trying thousands of passwords per minute, even moderately strong passwords can eventually fall.

WordPress sites are prime targets because the login page location is predictable (wp-login.php), usernames are often discoverable, and many sites lack basic protection against repeated login attempts.

How Brute Force Attacks Work

The Attack Process

1. Target Discovery - Attacker identifies WordPress sites (easy via meta tags, file paths)
2. Username Enumeration - Discovers valid usernames via author archives (?author=1) or REST API
3. Password Guessing - Automated tools try thousands of password combinations
4. Success - Once a valid combination is found, attacker gains access

Attack Speed

Modern brute force tools can attempt:

• 1,000+ passwords per minute against unprotected sites
• Multiple usernames simultaneously
• Distributed attacks from thousands of IPs

Types of Brute Force Attacks

Simple Brute Force

Tries every possible character combination (a, b, c... aa, ab, ac...). Effective against short passwords but slow against longer ones.

Dictionary Attack

Uses lists of common passwords and words. Much faster because it skips random combinations and focuses on likely passwords.

Credential Stuffing

Uses username/password pairs stolen from other data breaches. Exploits password reuse across sites.

Hybrid Attack

Combines dictionary words with numbers and symbols (password1, Password!, p@ssw0rd). Targets common password patterns.

Reverse Brute Force

Uses a common password (123456) and tries it against many usernames. Effective for finding weak accounts.

Why WordPress Sites Are Vulnerable

Predictable Login URL

Every WordPress site has wp-login.php at the same location. Attackers don't need to search for it.

Username Discovery

By default, WordPress exposes usernames through:

• Author archive URLs (/author/admin/)
• REST API (/wp-json/wp/v2/users)
• Login error messages ("Invalid username" vs "Incorrect password")

No Default Protection

WordPress doesn't limit login attempts by default. Attackers can try unlimited passwords without being blocked.

Weak Passwords

Many users still use weak passwords. Top passwords like "123456" and "password" remain common.

Signs Your Site is Under Attack

• Slow site performance during login attempts
• Unknown login attempts in security logs
• Locked out legitimate users
• High server resource usage
• Failed login email notifications

How WP Folder Shield Stops Brute Force Attacks

Login Attempt Limiting

After a configurable number of failed attempts (default: 5), the IP is temporarily locked out. This makes brute force attacks impractical.

Progressive Lockouts

Repeated violations result in longer lockout periods, discouraging persistent attackers.

Auto-Blocking

After repeated lockouts (default: 10 attempts), IPs are permanently blocked for 24 hours.

Threat Intelligence

Known brute force IPs from our network of 10,000+ sites are blocked proactively—before they even try to log in.

Username Enumeration Blocking

Blocks author enumeration and REST API user endpoints, preventing attackers from discovering valid usernames.

Custom Login URL

Hide wp-login.php entirely. Bots can't attack what they can't find.

Login Error Masking

Don't reveal whether a username exists. Generic error messages prevent username confirmation.

Best Practices for Brute Force Prevention

Strong Password Policy

• Minimum 12 characters
• Mix of uppercase, lowercase, numbers, symbols
• Unique passwords for each site
• Use a password manager

Enable 2FA

Even if attackers guess the password, they can't generate the 2FA code.

Limit Login Attempts

Enable WP Folder Shield's brute force protection with appropriate thresholds.

Use Custom Login URL

Change your login URL from wp-login.php to something unique.

Block Known Attacker IPs

Enable Threat Intelligence to block IPs known for brute force attacks.

Conclusion

Brute force attacks are constant, automated threats against every WordPress site. Without protection, it's only a matter of time before attackers find weak credentials. WP Folder Shield provides comprehensive brute force protection: login limiting, progressive lockouts, auto-blocking, threat intelligence, and custom login URLs. Don't leave your login page unprotected—enable brute force protection today.