How to Defend Your Website from Brute Force Attacks

How to Defend Your Website from Brute Force Attacks


A brute force attack is the most common type of attack that cybercriminals use to gain access to websites. When successful, this gives the attacker complete control over your site, enabling them to take it offline, steal user details or install malware that will infect other internet users. In this post, we look at what a brute force attack is and what you need to do to protect your website from them.

What is a brute force attack?

A brute force attack is where a cybercriminal attempts to gain access to your website by guessing your username and password. This may seem like a difficult thing to do given that most sensible users have hard to guess login credentials. Unfortunately, that’s not necessarily the case. Modern cybercriminals make use of sophisticated software that can make thousands of rapid, consecutive attempts to gain access. These types of software don’t make random guesses either. Instead, they are armed with huge databases of stolen login credentials and use advanced AI-enabled algorithms that help them quickly determine what your username and password might be. A well-equipped hacker can often crack a password in less than a minute.

How to defend against a brute force attack

  1. Make sure usernames are not visible and not easy to guess

    A hacker needs both a username and password to log in. One of the first things you should do, therefore, is to make sure you do not use default usernames like ‘admin’.

    You should also make sure that your username does not appear on your website. If you use WordPress, for example, you can give a user a nickname in the user settings. This means that if that user publishes a post, it’s the nickname that will be displayed, not the actual username.

    If you are a business or organisation that mentions employees by name on the website, then make sure their real name is not the same as their username.

  2. Strong passwords

    While brute force software is getting better at discovering passwords, the longer, more complicated and more random a password is, the harder it is for the software to crack it. If it takes too long the hacker might give up, as there are always easier websites to break into. Where possible, make use of password-generation tools that are designed to create passwords that are very difficult to crack.

  3. Make use of a firewall

    Firewalls are designed to spot malicious activity on your server and can detect and prevent all kinds of threats, including brute force attacks. When they detect a lot of attempts to log in to your website happening in rapid succession, they can block access to them. When your website is hosted at Webhosting UK, your server is automatically protected by an advanced firewall that will defend it against intrusion, malware infection and data loss.

  4. Use two-factor authentication

    Two-factor authentication is an additional layer of verification that requires users to type in a code sent to a smartphone after they have inputted their username and password. Without the username, password and code, access is denied. While some users find it annoying to have to go through this extended login process, it massively reduces the chance of a brute force attack being successful. With two-factor authentication in place, the hacker would also need to guess the code to break in. As these codes are only valid for ten minutes or so, this makes the task incredibly difficult to do even with the latest brute force technology.

  5. Add Captcha to the login page

    Captcha is a commonly used form of security that asks users to answer a question or confirm that they are human as part of the login process. This requires hackers to carry out additional actions, some of which can only be done manually when logging in. This slows down the speed at which brute force software can make attempts to break in. For many hackers, it’s just too much bother and they will move on to a website that is less well-defended.

  6. Setup admin login notifications

    While not a protection against a brute force attack, if you are an admin, setting up email notifications for when you log into your admin account will help you quickly find out if someone other than you has gained access. This will allow you to take immediate action before the hacker changes your user email address and password, locking you out of the site.

  7. Back up your site

    If the worst happens and your website is irretrievably damaged by a brute force attack, having a website backup makes the job of restoring it quick, easy and inexpensive. Without this, companies that rely on their websites could find themselves in difficult circumstances.


Brute force attacks happen every day and, in many cases, companies are unaware that these malicious login attempts are even taking place. Hopefully, the suggestions given here will help keep your website protected against brute force attacks and the damage that they can inflict. For firewall-secured web hosting with free daily backups included, visit our Shared Linux Web Hosting with cPanel page.


Pin It on Pinterest

Share This