What is a Brute Force Attack
Simply put a ‘brute force’ is when an attacker bombards a website, typically the login form, with a combination of usernames and passwords in hopes of breaking into the site. Basically using what is also referred to as a dictionary attack they hit the login form with sometimes thousands of username and password combos hoping to get lucky. Sounds like a lot of work, right? Well not really when you consider the dictionary aspect of the attack. A computer (or worse, a network of computers) can basically run through thousands upon thousands of combinations in a matter of seconds.
Is Your Username ‘Admin’?
Now thinking about the method explained above, if your username is ‘Admin’ you have already given the attacker half of the combo. In fact many attacks on WordPress sites are targeted to to user’s who have the username ‘admin’, at which point they only have to guess your password.
Is Your Password One or More Common Words, Names or Dates?
This is where the dictionary aspect really comes into play. An attacking computer or network can bombard your site with thousands of password combinations in a matter of seconds and if you are using real words, names and dates it’s only a matter of time (minutes or seconds) before they possibly get in.
The Image Above
If you take a look at the image for this post, it is a from an error log file that I was actually watching in real time. You will see that the wp-login.php file is being bombarded several times a second. You will also see that the ‘client denied by server configuration’, which in short means we had plugin on this site that sensed the attack and basically shut down access to the login form for a while the attack continued. This attack went on for approximately 45 minutes. and was traced back to a server in Utah.