The WordPress login form is located at: site.com/wp-login.php and brute force attacker will send login requests to this address to get login credentials.
In majority of cases brute-forcers try to guess the password for most popular users: admin, user, author, editor etc.
Brute-forcers use list of common passwords to crack the username. For example:
Your website will be hacked if the brute-forcer will guess the combination of username and password.
To protect your website you can:
- Rename/delete commonly used usernames
- Choose a strong password – for example try to avoid using common English words
- Install a plugin to protect your website
By default these brute force attacks are invisible and do not leave any traces.
Once the attackers get the proper username and password pair – they can install malware on your website, add spam links etc.
And also each brute force request loads whole WordPress website and draining hosting resources.
I created the Silver-Bullet Pro plugin to block brute force attacks in a smart way. Plugin change the address of the login form and adds htaccess redirect for wp-login.php page for not loading WordPress on every brute force request.