Originally published at: http://www.sitepoint.com/preventing-brute-force-attacks-against-wordpress-websites/
A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. Other kinds of hacks rely on website vulnerabilities whereas a brute force attack is a simple hit and miss method and can be tried on any site.
In this tutorial, we will cover some methods and plugins we can use to prevent brute force attacks against WordPress sites. WordPress is the most popular CMS and therefore it’s a frequent target of these type of attacks.
What’s the Difference Between a Brute Force Attack and a DDoS Attack?
A brute force attack is performed to gain access to someone else’s account on the site, whereas a DDoS attack is usually launched to take a site down (typically by consuming resources). That said, a large scale brute force attack can also take a site down.
A DDoS attack is usually performed using a bot, whereas a brute force attack can be made using a bot or by a human. Humans can launch more targeted attacks, especially if they know usernames or have other intelligence to narrow down possible credentials.
Neither of these kinds of attacks rely on the website vulnerabilities and can be applied to any website.
WordPress doesn’t have any built in feature to prevent these two types of attacks. Therefore, it’s your responsibility to prevent them on your own sites.
This tutorial will show you how you can prevent brute force attacks.