This section describes a brute force attack that tries and breaks through WordPress users’ passwords by brute force and how to deal with it.

WordPress does not hide the login ID, so as long as you know the password, you can log in!

WordPress is a CMS that makes it easy to find out the login ID of its administrator. (It is safe to assume that there is no intention to hide it from the beginning.)
For example, you can easily get the administrator’s user ID from the output data by accessing the following URL.

https://site URL/?author=1
https://site URL/blog/wp-json/wp/v2/users

Please use the security features of the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] that can prevent such user IDs from being leaked!

Hackers will use hacking tools to obtain user IDs, and then use software that automatically repeats one login operation after another with commonly used passwords to try to log in as the WordPress administrator.

It is said that 20% of successful WordPress hacks are caused by this brute force attack (also known as a dictionary attack). Brute force attacks can also cause a large number of accesses to the site, slowing down the site and even taking it down.

It is easy to obtain a WordPress ID, brute force attack software, and a list of commonly used passwords.

You can easily find WordPress ID software, brute force attack software, and lists of common passwords (dictionaries) ranging from thousands of versions to tens of thousands of versions.
As an example, here is a list of the top 10 most frequently used passwords

123456
password
12345678
qwerty
123456789
12345
12345678 qwerty 123456789 12345
111111
1234567
dragon

From Wikipedia:10,000 most common passwords

How to prevent brute force attacks?

The following measures can be taken to prevent brute force attacks

↓This measure is mandatory.
Make your password a meaningless string of at least 12 characters including alphanumeric characters, numbers, and symbols.
(You can create a secure password by using the automatic password generation mechanism on the WordPress user editing screen.)

Add a capture of the login screen. Change the login URL. It also prevents excessive access to the xmlrpc.php file, which can be used for brute force attacks.

*Security measures here are available with various security plugins. You can also easily do this with the [ Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

Basic authentication is applied to wp-admin (access to the administration page).

We hope this helps.

Related Posts:

  1. Can a hacker attack on WordPress itself be prevented?
    Our client asked us if we could prevent the attacks themselves, since hackers have not stopped attacking them. Here is an explanation....
  2. Log-in-related security measures alone are not enough to prevent WordPress hacking
    We understand that many sites have installed various security plug-ins to prevent WordPress hacking, but some plug-ins are specialized for the login screen only. These plug-ins do not provide much protection against WordPress hacking. We will explain why....
  3. Passwords that should not be used in WordPress users
    This section describes the types of passwords that should not be used in WordPress....
  4. WordPress outputting user login ID and ID number in JSON issue
    WordPress outputs user login IDs and ID numbers in JSON. Although this is a specification, it may make your site more vulnerable to hackers for security reasons....
  5. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....
  6. What are the symptoms of a WordPress hack? Here are some of the tampering details of various hackers.
    1 Back door Vulnerabilities, known as backdoors, allow hackers to install hidden entry points on your site to gain access to your WordPress site through the misuse of server privileges. Once the backdoor is exploited, the hacker can access or rewrite all files on the hosting server, or install programs. (This would compromise multiple sites hosted on the same server)....