What is a Brute Force Attack?

Table of Contents 5 sections

What is a Brute Force Attack?

A brute force attack is a cryptanalytic and hacking technique that relies on systematically trying all possible combinations of characters until the correct password, key, or credential is discovered. The approach is conceptually simple: rather than exploiting a vulnerability in the system's logic, the attacker exhausts the entire space of possible values through sheer computational persistence. While this method is guaranteed to eventually find the correct answer, its feasibility depends entirely on the length and complexity of the target credential and the computational resources available to the attacker.

Brute force attacks are among the oldest and most straightforward methods of breaking into secured systems. Despite their lack of sophistication, they remain highly effective against weak passwords and poorly configured authentication systems. Modern computing hardware, including GPUs and cloud computing instances, has dramatically increased the speed at which passwords can be tested, making short and simple passwords trivially breakable. A six-character lowercase password can be cracked in seconds, while a truly random twelve-character password with mixed case, numbers, and symbols remains computationally infeasible to brute force with current technology.

Types of Brute Force Attacks

A simple brute force attack tries every possible combination of characters up to a specified length, starting from the shortest. This method is thorough but extremely slow for longer passwords. Dictionary attacks use a predefined list of common passwords, leaked credentials, and commonly used phrases, dramatically reducing the search space since most people choose predictable passwords. These dictionaries are compiled from previous data breaches and can contain billions of real-world passwords.

Credential stuffing is a variant that uses stolen username-password pairs from one data breach to attempt logins on other services, exploiting the widespread habit of password reuse. Hybrid attacks combine dictionary words with brute force modifications, appending numbers, swapping letters for symbols, and adding common suffixes. Reverse brute force attacks start with a known password and try it against a large list of usernames, which is effective when a common password like "password123" is likely used by at least one account in a large user base. Rainbow table attacks use precomputed hash-to-password lookup tables to reverse password hashes rapidly.

Brute Force Attacks Against WordPress

WordPress sites are among the most frequently targeted platforms for brute force attacks due to the platform's popularity and the predictability of its login endpoint at /wp-login.php. Attackers use automated tools to test thousands of password combinations against the WordPress login page, often targeting the default "admin" username. The XML-RPC interface at /xmlrpc.php is another common target because it allows multiple login attempts in a single request through the system.multicall method, significantly accelerating the attack.

Successful brute force attacks against WordPress administrator accounts give attackers complete control over the site, enabling them to inject malware, deface content, steal user data, create backdoor accounts, and use the compromised server for further attacks. The impact extends beyond the individual site: compromised WordPress installations are frequently recruited into botnets and used to launch attacks against other targets, host phishing pages, or distribute malware to the site's visitors.

Detecting Brute Force Attacks

The most obvious indicator of a brute force attack is a sudden spike in failed login attempts from one or more IP addresses. Server access logs will show repeated POST requests to the login endpoint with different credential combinations. Resource consumption may increase as the server processes thousands of authentication requests, potentially degrading performance for legitimate users. Monitoring tools that track authentication failure rates and alert on anomalies are essential for early detection.

More sophisticated brute force attacks attempt to evade detection by distributing attempts across many IP addresses, throttling their request rate to mimic normal traffic patterns, and rotating user agents. These distributed attacks are harder to detect because each individual source generates only a small number of failed attempts. Behavioral analysis that considers patterns across all login attempts rather than focusing on individual IP addresses is necessary to identify these low-and-slow attacks.

Preventing Brute Force Attacks

Account lockout policies that temporarily disable an account after a specified number of failed login attempts are a fundamental defense. Rate limiting restricts the number of authentication requests from a single IP address within a given time window. Progressive delays that increase the wait time after each failed attempt slow down automated attacks without significantly impacting legitimate users who occasionally mistype their password. CAPTCHA challenges after repeated failures add a layer of bot detection that most automated tools cannot bypass.

Multi-factor authentication (MFA) is the most effective defense because even if an attacker discovers the correct password through brute force, they cannot access the account without the second authentication factor. For WordPress specifically, changing the default login URL, disabling XML-RPC when not needed, blocking the "admin" username, and using security plugins that provide login attempt limiting and IP blocking dramatically reduce brute force risk. Strong, unique passwords generated by a password manager eliminate the vulnerability at its source by making the password space too large to enumerate.