What is a Brute Force Attack and how to block it

Brute Force is a method of guessing your password by trying combinations of letters, numbers and symbols. Some brute-force attacks utilise dictionaries of commonly used passwords, words, etc. in order to speed up the process of guessing users passwords.

The first thing you need to do in order to protect yourself from such attacks is to choose an appropriate username and password. Try not to use common names for your username as admin, administrator, superuser. Regarding your password, try using as complicated one as possible and include numbers, special characters, upper-case and lower-case letters. There are free generators that create long and strong passwords for you to use.

If you have experience issues remembering long passwords, you can use password vaults like LastPass.

If you detect that someone has launched a brute-force attack against your site (such attacks generate huge amount of fail login attempts in your log), you can block the attackers IP address from accessing your site completely. To do that, simply add the following line to your .htaccess file:

deny from 123.123.123.123

Replace 123.123.123.123 with the actual IP address of the hacker. In addition, you should restrict the admin areas of your site only for your address. Actually, this is a good practice and good to do it even if there is no attack against your site. The .htaccess rules you need to place in those folders are:

deny from all
allow from 222.222.222.222 

Replace 222.222.222.222 with your IP address. To find out what is your IP, you can use one of the many sites providing that information like whatismyip.com for example.


If you detect that someone has launched a brute-force attack against your site, please contact our Support team.

Was this answer helpful?

 Print this Article

Also Read

How to clean malicious code from your website?

If your website has been hacked and malicious content has been inserted into your files, you...

Force SSL/https using .htaccess

In order to redirect your website to be opened through HTTPS, you should add the following...

How to block access to a specific folder?

To block all access to a specific folder in your account, you should add this rule to the...

How Do Websites Get Hacked?

The most common reasons for a hacked (defaced) website include: Outdated web application....

How to protect your account from TRACE request attacks?

In order to protect your account from HTTP TRACE request attacks, you can add this to your...