For who doesn’t know what brute force, it is a technique of finding a password by repetitive attempts. A hacker who wants to find your password will make a script that will automatically try to login with all combinations possible of passwords.

How hard is this to be completed ? Depending on the password and possible characters, this may take up some time, depending on your server response time and the length of the password.

However, the long time required to find a password trough brute force won’t discourage people trying to have some fun or spamming your website with hundreds of links. The code required to try a password is pretty light and we dispose today of very high speeed devices that will shorten the waiting time. More, they can just run the script on a website and then they only have to wait until the script finish the tests and sent the password directly to their e-mail account.

They can also run the script from different computers so they split up the work. And what make those kind of attacks to be very effective are passwords made up from dictionary words. The algorithm will be far more fast if they can just take the words from a dictionary and test them as your password.

Change Admin default username

This is the most obvious. While most wordpress website have their main administrator user set by default to ‘admin’ the scripts are already set-up with this in mind, and one with very few technical knowledge can just run it on your website without changing a bit of code.

This is not available anymore if you are installing a new wordpress website, since you are asked to enter your desired admin username. But if you already have a website with admin username you should change it. Having the same admin username for all wordpress website on the internet makes hackers life easier.

Install an Auth Locker plugin

What wordpress security lacks is a protection against multiple login attempts. By default you can try as many times as you want without any problem. But, for security reasons, all webmasters are advised to let people to try a password for maximum 5-10 times every hour. In this way brute force is practically inapplicable to your website. However, for a website build on a platform you should make sure there are no other ways of entrance to your blog where this can be skipped, for example if you are using the atom publishing feature in wordpress.

There are some plugins that will do the work for you. For example, User Locker plugin allows maximum 5 tries. After 5 failed attempts the user is locked and he can use the forgot password page that will generate a new password.