The name sounds dramatic, but brute force attacks are not sophisticated. They are blunt - and that is precisely what makes them effective against weak defences. An automated script tries one password combination after another, thousands of times per minute, until it finds one that works or gets blocked.
Your WordPress login page, your cPanel, your SSH access - all of these are targets. Every day, every hour. If your server has a public IP address, it is being probed right now.
How Brute Force Attacks Work
The basic mechanic is simple: an attacker (or more often, a bot network) submits repeated login attempts using a list of common username and password combinations. These lists are enormous - billions of entries compiled from previous data breaches are freely available online.
There are a few variations:
Dictionary attacks use a list of common passwords (password, 123456, qwerty, your business name, etc.) rather than random character combinations.
Credential stuffing uses actual username and password pairs leaked from other breaches. If you reuse passwords across sites, this is how attackers get in - they do not need to guess.
Distributed brute force spreads the attack across thousands of IP addresses (often a botnet of compromised machines) to avoid IP-based blocks.
The tools used are freely available and require no technical expertise to operate. Hydra, Medusa, and Burp Suite are common examples. The barrier to running one of these attacks is essentially zero.
What They Target
WordPress login pages. Because WordPress powers over 40% of the web and everyone knows where the default login URL is, it is an obvious target. Thousands of attempts per day against /wp-login.php are normal for any established site.
SSH (port 22). If your server runs SSH and it is open to the internet on the default port, your auth logs are full of failed attempts. Check /var/log/auth.log on a Linux server and you will see it.
cPanel and web hosting control panels. These are high-value targets because compromising them gives an attacker access to everything - files, databases, email, DNS settings.
Email servers. SMTP brute force is used to gain access to email accounts and then abuse them for spam sending.
Layered Defences That Actually Work
No single measure is enough. Effective protection stacks multiple layers.
Strong, unique passwords. A 16-character random password takes centuries to crack by brute force. A password manager makes this practical. This is the single most important step.
Never use "admin" as your username. This is the first username every attack tries. Any other username reduces your attack surface dramatically.
Limit login attempts. Plugins like Limit Login Attempts Reloaded (WordPress) or fail2ban (server level) automatically block IP addresses after a set number of failed attempts. This turns brute force into a non-starter.
Two-factor authentication (2FA). Even if an attacker correctly guesses your password, 2FA stops them. They need your phone too. Enable 2FA on WordPress, cPanel, and any other control panel you use.
Change default login URLs. Moving your WordPress login away from /wp-login.php and your SSH away from port 22 eliminates a huge percentage of automated attacks that simply do not look further.
Firewall rules. At the server level, tools like ConfigServer Security and Firewall (CSF) or cloud-based WAFs (Web Application Firewalls) can identify and block attack patterns before they reach your application.
SSH key authentication. For server access, disable password authentication entirely and require SSH keys. A key pair cannot be brute forced in any practical sense.
The Reality of Running a Public Server
If your site is live on the internet, you will see brute force attempts. That is not a sign something is wrong - it is just the reality of operating a public server. The goal is not to make attacks impossible (you cannot), but to make them unsuccessful and low-impact.
With the right layers in place, brute force attacks become background noise. Your server blocks them automatically, your logs record them, and your site stays up and secure while the bots move on to easier targets.
dotCanada hosting plans include server-level firewall protection and DDoS mitigation. Pair that with good password hygiene and 2FA, and you have serious protection against brute force attacks.
