7 Strategies to Defend Your Site Against Brute Force Attacks

how to defend website against brute force attacks

Can my account be hacked? Is my password “strong” enough?

These are just some of the many questions you’ll keep asking yourself as you create accounts on the internet.

If you’re into cryptocurrencies, you might even be wondering if the blockchain tech can still be hacked despite its improved security measures.

A basic principle to remember is that anything that holds passwords can be vulnerable. Whether it’s an email account, a social media account, or an account you created to join a forum — you can be hacked.

A hacked account and a compromised password are valid fears because password-breaking cyber crimes abound — they are called brute force attacks.

What is a brute force attack?

A brute force attack is an operation that involves continual and consecutive attempts to guess the correct password of an account and break into websites.

The hackers’ aim is to access targeted sites illegally to enforce another type of attack, steal valuable data, shut the system/website down, or hold the data for a ransom.

The method tries different character combinations in usernames and passwords over and over until they are successfully cracked.

A brute force attack is one of the most usual and least obvious attacks. It is also the simplest means to access a website or any other password-protected server, system, or network.

Hackers use malicious scripts or inject automated tools like bots into computers and websites to boost the required computing capacity to enforce the attack.

These automated tools (which, unfortunately, are available online) can perform multiple password guesses in just a few seconds. This increases the hackers’ likelihood of beating a password-based verification system.

Bots and other automated tools can easily creep into these sites and jeopardize their integrity and your business.

And so the question becomes: How can you defend your site from brute force attacks?

These are some of the actions steps you can implement.

Lengthen your password

Lengthening your passwords is one of the basic, yet effective, steps to defend your site from brute force attacks.

Various email providers and platforms now require users to create passwords with a specific minimum number of characters — six to eight characters are the most common requirements.

See this example below:
need strong password and lenght
Remember, the longer your password, the harder it is for your account to be hacked.

Make your password complex

Aside from using a lengthy password, you should also make it complex.

You can do this by requiring your users to use multiple character types when creating their passwords. The passwords can include uppercase and lowercase letters, numbers, and special characters.

For instance, instead of just “facebookpassword,” you can use “f4c3book^P4ssworD$” instead.

Paypal, for instance, enforces password complexity as a requirement when you set up an account.

paypal mixed character password
Just like with long passwords, the more complex it is, the longer it takes the hacker to crack the password successfully.

Enable a two-factor verification system

Two-factor verification is an additional shield to protect your site from brute force attacks.

Aside from the username and password, you can require further verification.

A common verification measure is a unique access code sent to the user via SMS or another e-mail.

The user will then have to input the same code before being able to access the site.

Here is an example by Yahoo! Mail.

two factor identification login
In the case of Yahoo! Mail, the account holder has the option to turn the two-factor verification setting on.

The email provider requires the user to further verify his identity by typing in a code sent to the phone number previously entered and saved in his account.

Online tools and guides like Nexmo are available to help you set up two-factor verification system in your site.

nexmo online two factor verification system

Invest in penetration testing

Another effective defense against brute force attacks that you should invest in is penetration testing.

Penetration testing, Bulletproof explains, is a simulation to find and expose vulnerabilities using automated means and manual procedures to give you a general view of your site’s security.

In other words, the tester acts as a hacker to see how penetrable your site is. The tester can then reveal to you the vulnerable areas of your site, and how you can fix them.

You can carry out a penetration test yourself, but doing so involves multiple network scans and investigations that may slow down or crash your computer and disrupt your business.

If you are not completely familiar with the ins and outs of the digital world, you will do well to tap the help of third-party cybersecurity companies.

You should also implement this strategy as frequently as possible. Doing a regular test would be ideal.

Limit the log-in attempts

Limiting a user’s attempts to log in successfully is a powerful defense.

If your site receives, let’s say, five failed attempts to log in, your site should block the IP address for a specific period to temporarily stop any more log-in attempts.

A better, though, a more complicated strategy you can also use is progressive delays.

Progressive delays lock a user’s account for a fixed period after a couple of unsuccessful log-in attempts.

With each consecutive unsuccessful attempt, the lock-out time increases.

This strategy makes it impractical for attackers to continue pursuing your site, and effectively stops automated mechanisms from executing brute force attacks.

Configure account lockout

You can also configure account lockout as another defense against brute force attacks.

After a fixed number of unsuccessful login attempts, a user’s account remains locked out until the administrator unlocks it.

This scenario can be risky since the cybercriminal can lock out several real accounts. This means more people are going to be victimized by the attack and more burden is laid on the administrator.


CAPTCHA is short for Completely Automated Public Turing test to tell Computers and Humans Apart.

CAPTCHAs test suspicious users if they are humans or bots by asking them to type in the characters shown in a graphic. Bots cannot read distorted characters.

Challenge response tests are also a form of CAPTCHA that asks the user to verify specific kinds of images or solve a math problem.

They block bots and spammers from implementing automated scripts commonly used in performing brute force attacks.

You can set up a CAPTCHA system in your site through tools like reCAPTCHA by Google.

recaptcha for better spam security protection
Google then guides you into various kinds of CAPTCHA systems to verify users that access your site.

While CAPTCHAs and Challenge Response Tests are effective, they also hamper the users’ experience while on your website.

Be very strategic with how you use these. Do not subject your users (blindly) to two or more security steps when one suffices. Otherwise, they might just click away from your site.


It’s important to ensure you apply these strategies to defend your website against brute force attacks. When you apply these strategies, you’ll be well on your way to further securing your customers’ data and your business.

Have you applied any of these strategies into your website? Please take the time to share your experience by adding them in the comments section below. Cheers!

Scroll to Top