{"id":2783,"date":"2018-09-06T11:19:49","date_gmt":"2018-09-06T11:19:49","guid":{"rendered":"http:\/\/rh01.co.uk\/?p=2783"},"modified":"2026-01-23T21:11:25","modified_gmt":"2026-01-23T21:11:25","slug":"protecting-password","status":"publish","type":"post","link":"https:\/\/www.20i.com\/blog\/protecting-password\/","title":{"rendered":"Protecting your password from brute-force attacks"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>StackProtect is a <a href=\"https:\/\/www.20i.com\/secure-hosting\">security tool<\/a> from 20i that protects website passwords.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One of the most common and easy ways to compromise a website is to guess the password for login to its content management system (CMS). For example, <em>\/wp-admin <\/em>for WordPress.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Malware will use trial-and-error to try to guess your password. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It might start by cycling through variants of the most common passwords.&nbsp;This is known as a <strong>dictionary attack<\/strong>: where the code cycles through all the words in a &#8216;password dictionary&#8217;, using common words and passwords that have been used already elsewhere.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"541\" height=\"538\" src=\"https:\/\/www.20i.com\/blog\/wp-content\/uploads\/2018\/08\/Common-passwords.png\" alt=\"Most common passwords word cloud.\" class=\"wp-image-2795\" style=\"width:541px;height:538px\" srcset=\"https:\/\/www.20i.com\/blog\/wp-content\/uploads\/2018\/08\/Common-passwords.png 541w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2018\/08\/Common-passwords-150x150.png.webp 150w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2018\/08\/Common-passwords-300x298.png.webp 300w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2018\/08\/Common-passwords-370x368.png.webp 370w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2018\/08\/Common-passwords-270x269.png.webp 270w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2018\/08\/Common-passwords-302x300.png.webp 302w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It&#8217;s why it&#8217;s you should use a unique, secure password: one that is truly random. This makes them difficult to remember &#8211; unfortunately &#8211; but there are password managers that can help with this.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Then there is the traditional <strong>brute force attack<\/strong>, where the code tries every&nbsp; character combination in sequence. Even if your password is random, these types of attacks stand a good chance of guessing it right, given time.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How StackProtect protects your password<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">StackProtect monitors requests to common login pages. When a request is made, it looks at a number of things:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Publicly blacklisted domains and IPs<\/li>\n\n\n\n<li>Unusual geographic location (from the IP address)<\/li>\n\n\n\n<li>Previous login attempts from that host<\/li>\n\n\n\n<li>Number of login attempts, and how many websites they&#8217;ve tried to access<\/li>\n\n\n\n<li>Failed logins and previous firewall rule breaking<br><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">We&#8217;ll apply Google&#8217;s latest reCAPTCHA tests If these criteria are matched. In most cases, this provides a decision as to whether to allow a login or not. For brute force attacks, they will be stopped.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the rare cases where Google&#8217;s tools can&#8217;t make a decision, the user will be presented with a traditional CAPTCHA box like this:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"616\" height=\"164\" src=\"https:\/\/www.20i.com\/blog\/wp-content\/uploads\/2018\/08\/newCaptchaAnchor.gif\" alt=\"Google reCAPTCHA\" class=\"wp-image-2800\" style=\"width:308px;height:82px\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The splash page is served before any of the CMS&#8217;s code is executed. It takes place on physically isolated servers, so that malware can&#8217;t access the core data for your site.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This combination of our checks and Google&#8217;s checks stop the brute force script in its tracks. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Brute force attacks happen very, very often. For example, in November 2022 we had between 15 and 37 MILLION attacks every day!<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1033\" height=\"694\" src=\"https:\/\/www.20i.com\/blog\/wp-content\/uploads\/2022\/11\/Brute-force-attacks-2022.png\" alt=\"Graph showing brute force attacks per day, November 2022\" class=\"wp-image-9960\" srcset=\"https:\/\/www.20i.com\/blog\/wp-content\/uploads\/2022\/11\/Brute-force-attacks-2022.png 1033w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2022\/11\/Brute-force-attacks-2022-300x202.png.webp 300w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2022\/11\/Brute-force-attacks-2022-768x516.png.webp 768w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2022\/11\/Brute-force-attacks-2022-370x249.png.webp 370w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2022\/11\/Brute-force-attacks-2022-270x181.png.webp 270w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2022\/11\/Brute-force-attacks-2022-570x383.png.webp 570w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2022\/11\/Brute-force-attacks-2022-740x497.png.webp 740w, https:\/\/www.20i.com\/blog\/wp-content\/smush-webp\/2022\/11\/Brute-force-attacks-2022-150x101.png.webp 150w\" sizes=\"auto, (max-width: 1033px) 100vw, 1033px\" \/><figcaption class=\"wp-element-caption\">Brute force attacks, November 2022<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It&#8217;s just one of the ways that we help keep you secure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sadly, there are data breaches every day and no one can promise to keep you 100% secure.\u00a0Even so, there are plenty of other ways that you can limit your exposure to harm from cyber criminals. We recommend using\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Multi-factor_authentication\">multi-factor authentication<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Security_token\">physical security tokens<\/a> and\/or <a href=\"https:\/\/en.wikipedia.org\/wiki\/Biometrics\">biometric<\/a> methods (like fingerprints and retina scans) where possible.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Protecting your passwords is an important part of cyber security, but it\u2019s also important to ensure your site is secure. Read our comprehensive <a href=\"https:\/\/www.20i.com\/blog\/wordpress-security\/\">WordPress Security Guide<\/a> to find out more about how you can prevent and reduce the threat of hackers.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"StackProtect is a security tool from 20i that protects website passwords. One of the most common and easy&hellip;","protected":false},"author":2,"featured_media":17380,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"ub_ctt_via":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"csco_singular_sidebar":"","csco_page_header_type":"","csco_page_load_nextpost":"","footnotes":""},"categories":[288,51],"tags":[78,74,73,76],"class_list":["post-2783","post","type-post","status-publish","format-standard","has-post-thumbnail","category-security","category-technology","tag-brute-force-attacks","tag-passwords","tag-security","tag-wordpress","cs-entry"],"featured_image_src":"https:\/\/www.20i.com\/blog\/wp-content\/uploads\/2025\/10\/Protecting-passwords-from-brute-force-no-title.png","author_info":{"display_name":"Richard Chambers","author_link":"https:\/\/www.20i.com\/blog\/author\/richardchambers\/"},"_links":{"self":[{"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/posts\/2783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/comments?post=2783"}],"version-history":[{"count":36,"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/posts\/2783\/revisions"}],"predecessor-version":[{"id":18314,"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/posts\/2783\/revisions\/18314"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/media\/17380"}],"wp:attachment":[{"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/media?parent=2783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/categories?post=2783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.20i.com\/blog\/wp-json\/wp\/v2\/tags?post=2783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}