WordPress Brute Force Password Hacking

wordpress brute force password hacking

WordPress Hosting and Brute Force Website Logins

A crucial part of maintaining a digital presence is in choosing a hosting service capable of securing your site against cyber attacks. Websites can hold valuable personal and corporate information, such as login details, access to banking and credit accounts, employee payroll accounts, and access to privileged company information. All such data can potentially be accessed through a successful brute force attack.

What is WordPress Hosting?

Website hosting is a service that provides storage and resources designed to accommodate websites, blogs, emails and so on. WordPress hosting is only different in one key area: the host has been specifically optimized to run WordPress. The available resources will vary from one host to the next, but they typically include one-click installation, automatic updating and knowledgeable support staff.

Types of WordPress Hosting

There are two types of WordPress hosting to suit the user’s desired level of personal involvement with their website.

Shared Hosting involves one physical server hosting any number of websites. All of the resources included with that server are also shared, which is why this tends to be the cheapest WordPress hosting option. The hosting provider is responsible for keeping their Servers up-to-date and basic securities in place.  

Dedicated Hosting is where your website is residing on its own Server. You decide what resources you want the Server to have to get the performance you need. This option is typically chosen for e-commerce sites that are processing orders. A dedicated web Server might be managed by your own IT people, or by the hosting provider, or a combination of both.  Whatever the scenario, someone must ensure the Server is kept updated and adequate securities are in place.

What is a Brute Force Attack?

The motivation behind a brute force attack is to gain access to a website and collect data. This kind of cyber attack is basically a way of accessing password-secured information through systematic guesswork. It is relatively unsophisticated but effective. In most cases, the attacker carries out automated attacks on a number of sites at one time in the hopes of gaining access to user accounts. Once their original attack has succeeded, they can then continue to use the same tactics to increase their access to the website and move through the network of user accounts there, exploiting security vulnerabilities as they go along. 

Types of Brute Force Attacks

Dictionary Attacks

In a dictionary attack, an attacker selects a target and then tests a variety of passwords based on their target’s username, which they will have amended by adding special characters, numbers and additional letters. Fortunately, this kind of attack takes time and has a low probability of success compared to newer attack types. 

Simple Brute Force Attacks

As the name implies, a simple brute force attack is as low-tech as cyberattacks get. Basically, an attacker tries to guess their target’s login details without the benefit of software. Instead, they work through a series of commonly used passwords and Personal Identification Numbers (PINs). This kind of attack is simple, but it works because too many Internet users tend to create weak passwords or use the same password across several websites. A would-be attacker only needs to do a little work to determine their target’s likely passwords. 

Hybrid Brute Force Attacks

When a simple attack is combined with a dictionary attack, the result is called a hybrid brute force attack. This type is based on the hacker knowing their target’s username, then using a dictionary and simple attack tactics to determine the user’s login details. Beginning with a list of likely passwords, the attacker tries different combinations, using commonly-used words and random numbers, years or characters.

Reverse Brute Force Attacks

This type of attack begins with a known password instead of a username. Next, the attacker searches for matching usernames. In this case, an attacker can make use of commonly known weak usernames to search for a match.

Credential Stuffing

Credential stuffing makes use of bad password etiquette. An attacker will use stolen login details, which they test on multiple websites in an attempt to gain access to user accounts. This attack method is successful based on the premise that people often use the same login details, or simply the same password, across more than one account.

How You Can Prevent a Brute Force Attack

Any type of brute force attack takes time to complete, so you have that working for you. Still, there are a few ways to help prevent brute force attacks from succeeding in the first place.

Monitor Attempted Logins

By monitoring all of the attempted logins, you can easily spot when a large number of failed logins occur over a relatively small period of time. When you spot an attack in process, you can then disable the account in question while you investigate the problem. In the case of shared WordPress hosting, the onus for monitoring login attempts sits with the site creator or whoever is in charge of site maintenance. In the case of Dedicated WordPress hosting, login monitoring is typically a service provided by the host.

Stronger Passwords

Make sure your website users create strong, complex passwords. If your password is a random collection of letters, special characters and numbers, it will be harder for hackers to use a brute force attack on your site.


Captcha is a security system that is designed to distinguish humans from machines. It is typically used to disrupt spamming and automated data extraction, but by having the website user complete a task (such as identifying a series of images) at the time of login, it adds an extra layer of protection against attacks.

Multi-Factor Identification (MFA)

MFA essentially requires that the person who created the account in the first place is the one to log in. MFA tactics can include the use of biometrics or the use of a code sent via text, email, or an authenticator app.  It can also include a message having the account creator provide and answer a personal question, or a combination of these methods.

How to Prevent a WordPress Brute Force Attack

With WordPress specifically, there are a number of things you can do to prevent a brute force login attack beyond what’s listed above. These include:

  1. A Secure Login – this includes the actual login name (don’t use the default, Admin) as well as changing the login page so that it’s not the default wp-admin or wp-login that every hacker knows.
  2. Update WordPress to Latest Version – always make sure that your site is updated to the latest and most secure version of WordPress available. 
  3. Install a WordPress Security Plugin – choose a plugin that allows you to customize your site’s security settings
  4. Update WordPress Theme and Plugins – this is one of the most common ways hackers find their way into your site – through old and outdated themes and plugins.
  5. Use Secure WordPress Hosting – this is where BSC Solutions Group comes in. Get in touch to see how we can help with WordPress hosting and security.

What Does BSC Solutions Group Do?

As providers of both shared WordPress website hosting and dedicated Server hosting, we see a considerable number of brute force attacks being attempted across the various websites we host. To block these attacks from succeeding, we have implemented a new brute force login protection tool that allows us to track the number of failed login attempts in a specified timeframe using a quota-based system.

When a login fails ten times across our entire network, we block the attacker’s IP address and thus prevent them from gaining access to the websites we host. 

Still have questions? Let BSC Solutions Group solve your problems.