Brute force website attack

Started by Plan, Aug 24, 2022, 09:13 AM

Previous topic - Next topic

PlanTopic starter

I'm interested in your views on brute force attacks on websites. Does it actually work or does it just overload the webserver?
Recently, I installed a plugin called Limit Login Attempts on my WordPress website to protect against such attacks. So far, there have been 104 attempted attacks on my website through requests for login credentials on the WP-Login admin panel and XMLRPC. The attackers often use common usernames like "admin," "demo," and "test," as well as some mysterious ones like "Christmas Piano."

Even though I installed the plugin to prevent brute force attacks, I've been experiencing overloading of server RAM, possibly due to other plugins causing errors. However, my question is, these attacks have been happening for around two years, but no one has succeeded in breaking into my website using brute force methods. So, why do people still attempt these attacks if they don't work?

On a related note, it's crucial to take all appropriate measures to protect websites from cyber attacks. This includes installing security plugins, regularly updating software, and using strong passwords.


It's possible that your hosting provider is not aware of the brute force attacks happening on your website. It's also possible that an external script could be hammering on your wp-login.php and sending necessary data, causing the hosting provider to take action against your website. It's crucial to take steps to defend against such attacks, either by setting up protection on your own or hiring someone to do it for you.

One solution could be to restrict access to the admin panel by IP address. However, the issue at hand is not solely with hosting providers but also with webmasters who lack knowledge about website security and expect others to fill in their gaps. It's important to educate oneself on the matter and take proactive measures to protect websites from cyber attacks. Let's not point fingers and instead work towards improving our understanding and skills in this area.


Here are some methods to defend against brute force attacks:

Firstly, limit the number of attempts to enter a password. With only 10-20 attempts, a hacker is unlikely to succeed in finding the correct combination. This also gives the account owner enough chances to remember their password.

Secondly, use hacking detection systems that monitor any suspicious behavior and store information about the device displaying it. These systems can automatically protect the account, providing an extra layer of defense.

In addition, users should be encouraged to come up with complex passwords that consist of letters of different cases, numbers, and special characters. This will make it harder for hackers to crĐ°ck them.

However, it's still possible for hackers to bypass these defensive measures using atypical tactics. Therefore, pentesters continue to check accounts using brute force attacks to identify potential vulnerabilities that may have been overlooked.

It's important to stay vigilant against cyber threats and keep updating security measures as new threats emerge.


Brute force attacks on websites can be effective if the attacker successfully guesses the correct username and password combination. However, in most cases, these attacks are simply attempts to overload the webserver and exploit vulnerabilities.

Installing a plugin like Limit Login Attempts is a proactive step towards protecting your website. It limits the number of login attempts an attacker can make, making it harder for them to guess the correct credentials. The fact that you have experienced numerous attempted attacks but none have succeeded suggests that your security measures are working effectively.

As for why people still attempt these attacks even if they don't work, there could be multiple reasons. Some attackers may simply be testing the waters, looking for any potential vulnerabilities. Others might be using automated tools that indiscriminately scan and attack websites without specific targeting. Additionally, some attackers could be hoping to exploit other weaknesses or gain some form of unauthorized access.

Here are a few more points to consider in terms of protecting your website from cyber attacks:

1. Implement Two-Factor Authentication (2FA): By enabling 2FA, you add an extra layer of security to the login process. This typically involves providing a second form of verification, such as a unique code sent to your mobile device, in addition to your username and password.

2. Regularly Backup Your Website: Creating regular backups of your website ensures that you can quickly restore it in case of a successful attack or any other kind of data loss. Make sure to store these backups on secure and separate servers or cloud storage platforms.

3. Use a Web Application Firewall (WAF): A WAF helps protect your website by filtering out malicious traffic before it reaches your server. It can detect and block common attack patterns, such as SQL injections or cross-site scripting, reducing the risk of successful hacking attempts.

4. Stay Updated: Keep all your website software, plugins, and scripts up to date with the latest security patches. Outdated software can have vulnerabilities that attackers can exploit, so regularly checking for updates is crucial.

5. Monitor Website Traffic and Logs: Keep an eye on your website's access logs, error logs, and traffic patterns. This will help you identify any suspicious activities or unusual traffic spikes that could indicate an ongoing or potential attack.

6. Educate Yourself and Your Users: Stay informed about the latest cybersecurity threats and techniques used by attackers. Educate yourself and your users about best practices for security, such as creating strong passwords, being cautious with email attachments or links, and avoiding suspicious websites.

 tips to enhance your website's security:

1. Use a Secure Hosting Provider: Choose a reputable hosting provider that takes security seriously. Look for providers that offer features like regular backups, server monitoring, and robust security measures, such as firewalls and intrusion detection systems.

2. Remove Unused Plugins and Themes: Keep your website lean and secure by removing any unnecessary plugins or themes. Outdated or unused plugins can become vulnerabilities that attackers can exploit, so it's best to delete them entirely.

3. Employ Content Security Policies (CSP): CSPs let you define which sources of content your website can load. By whitelisting trusted sources, you can prevent malicious scripts or code injections from executing on your website.

4. Secure File Uploads: Implement strong validation and file type checks when allowing users to upload files to your website. This prevents attackers from uploading malicious files that can harm your website or compromise user data.

5. Use HTTPS and SSL/TLS Certificates: Encrypting data transmission between your website and visitors using HTTPS helps protect sensitive information. Obtain and install SSL/TLS certificates to ensure secure connections and build trust with your users.

6. Conduct Regular Security Audits: Periodically assess your website's security by performing thorough security audits. You can use a variety of tools and techniques to scan for vulnerabilities, test for common attack vectors, and ensure your security measures are effective.

7. Be Cautious with User Privileges: Limit user privileges to only what is necessary for their specific tasks. Avoid giving unnecessary administrative access to minimize the potential damage in case an account is compromised.