Brute-Force Attacks Explained (and How to Stop Them)
Brute-force attacks try thousands of passwords against your login page until one works — and they never get tired.
If you have ever looked at the security logs for a website, the sheer number of failed login attempts can be alarming. Most of them are brute-force attacks — automated software guessing usernames and passwords in the hope of getting in.
The good news is that these attacks are noisy, predictable, and entirely beatable with a handful of straightforward measures.
How a brute-force attack works
A brute-force attack uses a bot to try login after login, working through lists of common passwords and leaked credentials. The attacker is not targeting you specifically — they are scanning thousands of sites at once, looking for the easy ones.
Because the attack is automated, it can attempt hundreds of logins a minute. A weak or reused password will eventually be found. This is why the strength of your password matters so much: every extra character makes the maths dramatically harder for the attacker.
The measures that stop them
Rate limiting is the single most effective defence. After a few failed attempts, the login is temporarily locked or the IP address is blocked. This turns an attack that might take minutes into one that would take years.
Two-factor authentication is the next layer — even a correct password is useless without the second code. Beyond that, hide or rename your login page, use strong unique passwords, and remove the default admin username that bots always try first.
What good protection looks like
On a WordPress site, a reputable security plugin handles most of this: limiting attempts, locking out repeat offenders, and alerting you to suspicious activity. A web application firewall adds another layer by blocking known bad actors before they reach the login page at all.
If your site is on a care plan, this is usually monitored for you. The aim is not to make an attack impossible — it is to make your site far more trouble than it is worth, so the bots move on to easier targets.
Common questions.
How do I know if my site is being attacked?
Does a strong password alone protect me?
How do we limit how many login attempts someone can make on our website?
Turn this into action.
The services behind this guide.
More on website care & tech.
Want a hand putting this into practice?
Book a free, no-obligation consultation with a Norwich-based specialist.
Let's put your business in a better light.
Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.