Title: Stopping Brute Force Attacks Last modified: August 30, 2016 --- # Stopping Brute Force Attacks * Resolved [AV8NLVR](https://wordpress.org/support/users/av8nlvr/) * (@av8nlvr) * [10 years, 5 months ago](https://wordpress.org/support/topic/stopping-brute-force-attacks/) * I am using the Sucuri plugin and it logs failed login attempts. I see that I am getting a lot of them where it does not show a password. Why is a brute force login being attempted without a password? * Also, how can I stop these brute force attempts? No hackers have gotten in as far as I know but its generating a lot of unnecessary traffic. Can the Sucuri plugin block IP addresses after a certain number of attempts? * [https://wordpress.org/plugins/sucuri-scanner/](https://wordpress.org/plugins/sucuri-scanner/) Viewing 3 replies - 1 through 3 (of 3 total) * [yorman](https://wordpress.org/support/users/yorman/) * (@yorman) * [10 years, 5 months ago](https://wordpress.org/support/topic/stopping-brute-force-attacks/#post-6859309) * Malicious people generally use automated tools to brute-force multiple websites at once, many of them called _“script kiddies”_ just copy or download scripts from the Internet without even knowing what they do and execute them against your site, for example, to get a little bit of more information so they can launch a direct attack. Among the information they can find is a list of valid usernames from existing accounts, so in some cases to know that an account actually exists they do not need to send a password. * Although the reason may be different, this is the first thing that comes to my head when I see login attempts with empty passwords; maybe the attacker forgot to include the password in the script that is using to automate the login, or something along the lines. * The plugin does not blocks any HTTP request by itself, not automatically nor per admin request; you would benefit more from a full featured web application firewall like CloudProxy [1] or check one of these free plugins [2]. * [1] [https://sucuri.net/website-firewall/](https://sucuri.net/website-firewall/) [ 2] [https://wordpress.org/plugins/search.php?q=block+ip](https://wordpress.org/plugins/search.php?q=block+ip) * Thread Starter [AV8NLVR](https://wordpress.org/support/users/av8nlvr/) * (@av8nlvr) * [10 years, 5 months ago](https://wordpress.org/support/topic/stopping-brute-force-attacks/#post-6859313) * That sounds reasonable, trying to get valid usernames so that’s why there is no password on the log. * There is a plugin called Brute Force Login Protection which claims that it can block an IP after a specified number of attempts within a certain time. Do you think this might help? * Thread Starter [AV8NLVR](https://wordpress.org/support/users/av8nlvr/) * (@av8nlvr) * [10 years, 5 months ago](https://wordpress.org/support/topic/stopping-brute-force-attacks/#post-6859424) * Well, I installed that plugin and I think it worked! It notified me that it blocked one IP. I had gotten a couple notifications from the Sucuri plugin of failed login attempts, but apparently when it became a brute force attempt the other plugin stopped it. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Stopping Brute Force Attacks’ is closed to new replies. * ![](https://ps.w.org/sucuri-scanner/assets/icon-256x256.png?rev=2875755) * [Sucuri Security - Auditing, Malware Scanner and Security Hardening](https://wordpress.org/plugins/sucuri-scanner/) * [Frequently Asked Questions](https://wordpress.org/plugins/sucuri-scanner/#faq) * [Support Threads](https://wordpress.org/support/plugin/sucuri-scanner/) * [Active Topics](https://wordpress.org/support/plugin/sucuri-scanner/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/sucuri-scanner/unresolved/) * [Reviews](https://wordpress.org/support/plugin/sucuri-scanner/reviews/) ## Tags * [attempt](https://wordpress.org/support/topic-tag/attempt/) * [Brute](https://wordpress.org/support/topic-tag/brute/) * [force](https://wordpress.org/support/topic-tag/force/) * [login](https://wordpress.org/support/topic-tag/login/) * 3 replies * 2 participants * Last reply from: [AV8NLVR](https://wordpress.org/support/users/av8nlvr/) * Last activity: [10 years, 5 months ago](https://wordpress.org/support/topic/stopping-brute-force-attacks/#post-6859424) * Status: resolved