This section describes a brute force attack that tries and breaks through WordPress users’ passwords by brute force and how to deal with it.

WordPress does not hide the login ID, so as long as you know the password, you can log in!

WordPress is a CMS that makes it easy to find out the login ID of its administrator. (It is safe to assume that there is no intention to hide it from the beginning.)
For example, you can easily get the administrator’s user ID from the output data by accessing the following URL.

https://site URL/?author=1
https://site URL/blog/wp-json/wp/v2/users

Please use the security features of the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] that can prevent such user IDs from being leaked!

Hackers will use hacking tools to obtain user IDs, and then use software that automatically repeats one login operation after another with commonly used passwords to try to log in as the WordPress administrator.

It is said that 20% of successful WordPress hacks are caused by this brute force attack (also known as a dictionary attack). Brute force attacks can also cause a large number of accesses to the site, slowing down the site and even taking it down.

It is easy to obtain a WordPress ID, brute force attack software, and a list of commonly used passwords.

You can easily find WordPress ID software, brute force attack software, and lists of common passwords (dictionaries) ranging from thousands of versions to tens of thousands of versions.
As an example, here is a list of the top 10 most frequently used passwords

123456
password
12345678
qwerty
123456789
12345
12345678 qwerty 123456789 12345
111111
1234567
dragon

From Wikipedia:10,000 most common passwords

How to prevent brute force attacks?

The following measures can be taken to prevent brute force attacks

↓This measure is mandatory.
Make your password a meaningless string of at least 12 characters including alphanumeric characters, numbers, and symbols.
(You can create a secure password by using the automatic password generation mechanism on the WordPress user editing screen.)

Add a capture of the login screen. Change the login URL. It also prevents excessive access to the xmlrpc.php file, which can be used for brute force attacks.

*Security measures here are available with various security plugins. You can also easily do this with the [ Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

Basic authentication is applied to wp-admin (access to the administration page).

We hope this helps.