{"id":13545,"date":"2021-08-07T06:10:52","date_gmt":"2021-08-07T06:10:52","guid":{"rendered":"https:\/\/ded9.com\/?p=13545"},"modified":"2025-11-11T10:28:21","modified_gmt":"2025-11-11T10:28:21","slug":"what-are-brute-force-attacks-and-how-should-they-be-prevented","status":"publish","type":"post","link":"https:\/\/ded9.com\/de\/what-are-brute-force-attacks-and-how-should-they-be-prevented\/","title":{"rendered":"What Are Brute Force Attacks and How Should They Be Prevented"},"content":{"rendered":"<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Unlike other cyber attacks, such as DDoS and XSS attacks, Brute Force attacks have nothing to do with a website&#8217;s vulnerabilities. They target users with weak usernames and passwords. In this article, we will become more familiar with this type of attack and introduce methods to prevent it.<\/span><\/span><\/p>\n<h2><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">What is a brute force attack?<\/span><\/span><\/h2>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Brute-force attacks occur when a hacker, with great effort and testing of a large number of usernames and passwords, targets the account of a person or persons. Hackers in brute-force attacks usually try many passwords in the hope that one of them will eventually be correct. This attack is like trying all the possible combinations in one lock, except that hackers try all the possible combinations in a much larger-scale brute-force attack.<\/span><\/span><\/p>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Passwords are not the only resources at risk of brute-force attacks; cybercriminals also hack links, directories, usernames, and emails.<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">The target of Brute force attacks<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Brute-force attacks aim to infiltrate information and resources that are restricted to other users. They can target access to an admin account, encrypted pages, or emails registered on a website.<\/span><\/span><\/p>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">In fact, accessing a real account&#8217;s information threatens the entire website&#8217;s security, and hackers can use it as part of their infected network.<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">How Brute Force attacks work<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">The most common type of brute force attack is a dictionary attack, which includes a list of identity documents in which a hacker tries to access a website admin account using common usernames and passwords. Dictionary attacks usually start with the simplest identity, such as username: Admin and password: 123456, and try more complex ones over time.<\/span><\/span><\/p>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Public understanding is very important in identifying brute-force attacks. For example, if you see somewhere that a person is constantly trying to log in to a specific account, it is very likely that they are running a brute-force attack.<\/span><\/span><\/p>\n<h4><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Other signs of a Brute force attack include:<\/span><\/span><\/h4>\n<ul>\n<li><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\"> An IP address could not be entered into an account after several attempts.<\/span><\/span><\/li>\n<li><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\"> After several attempts, multiple IP addresses failed to log in to a specific account.<\/span><\/span><\/li>\n<li><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\"> Multiple IP addresses could not log in to your account in a short period<\/span><\/span><\/li>\n<\/ul>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Sometimes, hackers use brute force attacks to add different accounts to a botnet to use in DDoS attacks. In addition, brute force hackers, by taking over the admin account of a website, perform tasks such as adding spam, spreading malware, and phishing users&#8217; bank accounts.<\/span><\/span><\/p>\n<h2><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Types of Brute Force Attacks<\/span><\/span><\/h2>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Brutal force generally means trying all possible combinations to access an account. Of course, hackers use different types of attacks to increase their chances of success, the most common of which are as follows:<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">1- Simple Brute force<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">In simple brute force attacks, a hacker can use several methods, such as trying out all possible passwords. This type of attack is usually in Local Files because there is no login restriction in this section, and most cyber attacks are successful.<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">2- Dictionary attacks<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">In this type of attack, the hacker prepares a complete list of different words and passwords instead of using random options and tries all possible options to access the user&#8217;s account. Using a comprehensive list increases the chances of a hacker succeeding, but in general, dictionary attacks generally require a lot of time and effort.<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">3- Brute force hybrid attack<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">In a hybrid attack, the hacker uses a dictionary attack method and a simple brute force attack simultaneously. Of course, instead of trying all the possible passwords, the hacker modifies or changes the words in the dictionary. For example, a hacker adds numeric characters to a dictionary list or applies uppercase and lowercase letters.<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">4- Reuse of user identity documents<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Data and personal information leaks are so prevalent in today&#8217;s world. Using one password for multiple accounts puts the security of all those accounts at risk. The chances of success in this attack are very low and often depend on the amount of data leaked (username and password) in the information leak.<\/span><\/span><\/p>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Hackers use stolen identity documents to try to access other people&#8217;s accounts. If you feel that your information has been leaked on the Internet, you should immediately update the passwords and usernames of your other accounts.<\/span><\/span><\/p>\n<h2><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">How to prevent Brute force attacks<\/span><\/span><\/h2>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Since brute force attacks are not a weakness or vulnerability of software, keeping it up to date is not enough to protect users. Of course, you can ensure your security against brute force attacks by following these tips:<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">1- Use of a strong password<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Weak passwords have a better chance of succeeding in brute-force attacks. So choose a strong password for your account that includes the following features:<\/span><\/span><\/p>\n<ul>\n<li><strong><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Unique password<\/span><\/span><\/strong><\/li>\n<\/ul>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">You must avoid duplicate passwords; otherwise, your password and account security will be compromised. In other words, hackers can use duplicate usernames and passwords to compromise your other accounts on various websites and applications.<\/span><\/span><\/p>\n<ul>\n<li><strong><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Long password<\/span><\/span><\/strong><\/li>\n<\/ul>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">The higher the password, the more likely a hacker is to try to guess it. Therefore, longer passwords are not easily hacked.<\/span><\/span><\/p>\n<ul>\n<li><strong><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Unpredictable password<\/span><\/span><\/strong><\/li>\n<\/ul>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">You usually use information such as your name or whereabouts to remember your password without hassle. In this case, other people who have this information can easily guess your password and log in to your user accounts. Some common options, such as 123456 or common passwords, are easy for cyber thieves to hack.<\/span><\/span><\/p>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">By following the above tips, you will greatly strengthen the security of your account against brute force attacks. Password recovery questions must follow the same rules. In fact, if your password is strong, a hacker can easily change it by answering recovery questions. So, always consider account recovery questions and answers that no one else knows about.<\/span><\/span><\/p>\n<h3><strong><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">2- Restrict access to authentication URLs<\/span><\/span><\/strong><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">The basic condition for performing brute force attacks is to send identity documents. If you change the URL of the login page, most malicious tools will stop. Unfortunately, if the link is visible on the page or the hacker can guess it, this action has little effect on the performance of the attacks. (This is especially important on WordPress websites. Be sure to change the default admin dashboard access address. It is wp-login to another custom address with extensions that are also unpredictable.)<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">3- Limit the number of logins<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Brutal force attacks work through countless passwords and accounts. If you set a specific number of logins for each user, the hacker can not try more than a few passwords in a given period. One common way to restrict login is to temporarily block access to an IP address that has not been used 5 times. (If your website is WordPress, you can easily apply these restrictions with security plugins like <a href=\"https:\/\/www.wordfence.com\/\" target=\"_blank\" rel=\"noopener\">Wordfence<\/a>.)<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">4- Using CAPTCHA codes<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Using a captcha code is the best way to deal with robots and automated malware that challenge their identity before logging in. Because CAPTCHA codes are for humans, malicious robots cannot easily bypass them. The system blocks brute force attacks at this point.<\/span><\/span><\/p>\n<h3><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">5- Using Two Factor Authentication<\/span><\/span><\/h3>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"fa\" data-phrase-index=\"0\">Two-step authentication adds another layer of security to the login section. In fact, after entering the username and password, users must also enter the code sent to their email or phone number or one-time codes generated in authentication tools (such as <a href=\"https:\/\/ded9.com\/what-is-google-authenticator-and-how-can-it-be-used\/\">Google <\/a>Authenticator) to log in. In other words, hackers who have access to your personal information in any way cannot enter your account without going through the two-step authentication process.<\/span><\/span><\/p>\n<h2>FAQ<\/h2>\n<div id=\"rank-math-rich-snippet-wrapper\"><div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-1\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">What is a brute\u2011force attack?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>A brute\u2011force attack is a method in which an attacker uses trial\u2011and\u2011error (often automated) to systematically try many possible username\/password combinations or encryption keys until finding a valid one.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-2\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Why are brute\u2011force attacks still a threat?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>They remain a threat because many systems still rely on weak or reused passwords, lack effective rate\u2011limiting or automated blocking, and attackers can leverage powerful bots or distributed networks to scale attempts quickly.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-3\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">How can you prevent brute\u2011force attacks effectively?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Preventive measures include: Enforcing strong, unique passwords with complexity and length. \u2022 Implementing account lockout or rate\u2011limiting after multiple failed attempts. \u2022 Enabling multi\u2011factor authentication (MFA) to block access even if the password is guessed. \u2022 Adding CAPTCHA or other bot\u2011detection controls on login forms. \u2022 Monitoring for abnormal login attempt patterns (e.g., many failures from one IP) and blocking accordingly.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Unlike other cyber attacks, such as DDoS and XSS attacks, Brute Force attacks have nothing to do with a website&#8217;s vulnerabilities. They target users with weak usernames and passwords. In this article, we will become more familiar with this type of attack and introduce methods to prevent it. What is a brute force attack? Brute-force [&hellip;]<\/p>\n","protected":false},"author":9,"featured_media":13547,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[115],"tags":[2347,199,489,2348],"class_list":["post-13545","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-ddos","tag-malware","tag-two-factor-authentication","tag-xss"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/posts\/13545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/comments?post=13545"}],"version-history":[{"count":3,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/posts\/13545\/revisions"}],"predecessor-version":[{"id":265254,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/posts\/13545\/revisions\/265254"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/media\/13547"}],"wp:attachment":[{"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/media?parent=13545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/categories?post=13545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/tags?post=13545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}