What Is Brute Force Attack & How to Defend Your Site Against It?

What Is Brute Force Attack & How to Defend Your Site Against It?

Brute force attack is a kind of attack aiming at access to a target website by guessing usernames and passwords over and over again. This is a simple but rather effective method that can be used on any site, especially for those sites with weak login security. If your website is under such an attack, it will suffer serious performance problems as a result of a large number of traffic coming in and excessive usage of the server memory.
It's easy to detect such attack, yet it's not that easy to prevent it. It can be annoying when confronting such an issue, but there is still something you can do to defend your site against it.  Now, use the following methods to defend your site against it.

Use Strong Username and Password

By default, the username of an account is "admin", and the password of it may be set as "12345678" or something like this. Such login information is easily guessed by hackers. If such kind of thing happens, your site will suffer a great loss. Therefore, never be too lazy to think out a strong username and password. 
You'd better not use a name that others are familiar with and easy to guess, and make sure to use a long and complex password combined with upper letters, lower letters, numbers and special characters, etc. Besides, remember not to include the name of company or site in it. In addition, if there are several administrators working on your site, you should ask them enhance their login information as well.

Lock Out Accounts

One easy way to prevent brute force attacks is to lock out accounts after certain number of attempts with incorrect passwords. Account lockouts can be set to last some time or remain locked until an administrator unlocks them. However, it is not that effective in some cases, especially when attackers intentionally try to lock out many of your user accounts.

Show Vague Error Messages

Sometimes, attackers may find out the correct usernames and passwords with the error response. Generally, if there is a login failure, it usually comes with an error response indicating whether it is a problem caused by invalid username or a false password. Thus, attackers can adjust information and keep trying finding out the valid one. Hence, you only need to present an error message prompting that the information is incorrect, instead of other specific or detailed information.

Set Pauses in Password Checking

Setting pauses between the attempts of trying various passwords for the same user account can effectively lower the intensity of brute force attacks. The interval can be set 30 seconds or longer. Don't worry too much, because this won't affect most real users when they try to log in their accounts of your site, but prevents attackers from accessing to your website within a short time.

Require a CAPTCHA for Authentication

Require a CAPTCHA for authenticationRequiring a CAPTCHA is an effective way to recognize real human beings and prevent automated requests that comes from computers or other devices. Once you add a setting that requires a CAPTCHA on the login page, only those real users can access to the site successfully and thus effectively prevent brute attackers from breaking into your website. Note that the CAPTCHA you set should be numbers or words instead of simple choices.

Customize Secret Questions for Failed Logins

In order to enhance the security of users' accounts, you can ask all users to customize several questions and set corresponding answers that only they themselves know. Sometimes, there are failed login attempts for a certain user and right login information is obtained, in this case, not only correct username and password are necessary, but also right answers to the secret questions are needed, or they cannot get further authentication. 

Limit IP Addresses

If you're the only one who can reach to the web server, you can block the IP addresses that have multiple failed login attempts. For better security, you can give only a certain fixed number of IP addresses access to the login section of your site if the website is under the management of multiple people.


With so many methods you know, there is no need to adopt all the mentioned methods on your site, but you can still pick up some of them to strengthen the security of your login section and prevent brute attacks. Above all, a strong username and password is necessarily required.
Related Articles