Guide

Brute-Force Attacks Explained (and How to Stop Them)

Brute-force attacks try thousands of passwords against your login page until one works — and they never get tired.

If you have ever looked at the security logs for a website, the sheer number of failed login attempts can be alarming. Most of them are brute-force attacks — automated software guessing usernames and passwords in the hope of getting in.

The good news is that these attacks are noisy, predictable, and entirely beatable with a handful of straightforward measures.

How a brute-force attack works

A brute-force attack uses a bot to try login after login, working through lists of common passwords and leaked credentials. The attacker is not targeting you specifically — they are scanning thousands of sites at once, looking for the easy ones.

Because the attack is automated, it can attempt hundreds of logins a minute. A weak or reused password will eventually be found. This is why the strength of your password matters so much: every extra character makes the maths dramatically harder for the attacker.

The measures that stop them

Rate limiting is the single most effective defence. After a few failed attempts, the login is temporarily locked or the IP address is blocked. This turns an attack that might take minutes into one that would take years.

Two-factor authentication is the next layer — even a correct password is useless without the second code. Beyond that, hide or rename your login page, use strong unique passwords, and remove the default admin username that bots always try first.

What good protection looks like

On a WordPress site, a reputable security plugin handles most of this: limiting attempts, locking out repeat offenders, and alerting you to suspicious activity. A web application firewall adds another layer by blocking known bad actors before they reach the login page at all.

If your site is on a care plan, this is usually monitored for you. The aim is not to make an attack impossible — it is to make your site far more trouble than it is worth, so the bots move on to easier targets.

FAQs

Common questions.

How do I know if my site is being attacked?
A security plugin or your host's logs will show repeated failed login attempts, often from many different IP addresses. A sudden spike is a clear sign.
Does a strong password alone protect me?
It helps enormously, but pairing it with rate limiting and two-factor authentication is what makes a brute-force attack effectively pointless.
How do we limit how many login attempts someone can make on our website?
We add a rate-limiting rule or a plugin that locks an account temporarily after a set number of failed attempts, which stops automated tools from trying thousands of passwords in seconds. Combined with two-factor authentication this makes a brute-force attack on your login page practically pointless.
How we can help

Turn this into action.

The services behind this guide.

Related guides

More on website care & tech.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation