Robert Spangler

UI/UX designer & front-end developer


Preventing Brute Force Attacks

Photo credit:

One of the most common methods that hackers use to get into your site is a brute-force attack. A brute-force attack essentially means that hackers are setting up bots to slam your login form, usually with a dictionary of common username/password combinations.

ColossusThis is not a WordPress problem, but a website problem. WordPress has a reputation for being less secure, but in reality a lot of this is because WordPress is ~16% of the web. Meaning all of the sites out there with username “admin” and password “bieberfever” aren’t going to make it long before they get broken into. And, depending on your host, once a site is broken into it’s not long before others on the same server get broken into as well. The web can be a scary place.

Choose your username wisely

Treat your username like your password, keep it to yourself. If you’re on WordPress the easiest change for you to do is change your Admin username from “admin” to something unique. We run a lot of high traffic websites on WordPress and always do our best to secure the login. I thought I’d share some of the most common usernames I see coming through brute-force attacks. This way you know not to use them.

Most common usernames I see that bots are using

  • admin
  • adminadmin
  • administrator
  • support
  • root
  • moderator (added 6/19/2013)
  • manager (added 6/19/2013)

Don’t use a password, use a passphrase

Passwords are easy to hack, really easy. More than likely, if you’re using a one-word password it’s in a dictionary that hackers are using to brute-force into sites. Use something long and ridiculous  such as: dinosaurfiremoose. You can throw in some numbers and symbols if you’d like. Required reading:

Block the bots

Use a plugin to help secure your login page. Typically these plugins will look for several failed login-attempts in a short amount of time and slowdown or block the potential intruder’s IP address. These attempts are obviously not coming from a person genuinely trying to login.

Here are a few plugins that provide this protection

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

About Robert

I work with clients ranging from local small businesses and non-profits to large Fortune 500 companies.

If you think I'm the right guy for your project, please feel free to give me a shout.

I am a full-time freelance website designer and front-end developer from Baltimore, Maryland, currently living in Nairobi, Kenya.

I design and code for user experience on the web with special attention on mobile devices. I come from a background in eCommerce and lead generation, which I'm very good at. I spend most of my time personalizing and creating customized WordPress themes for clients. Other than designing websites I spend time with family, study, occasionally tweet, and rarely +.