Brute force attacks exploit the simplest method of gaining access to a site: by trying to guess usernames and passwords, over and over again, until they’re successful. WordPress sites are susceptible to this form of attack by default because the system allows users unlimited login attempts.
Using a WordPress Security plugin such as iThemes Security provides brute force protection by allowing you to customize login limits. The host user will be banned after the specified bad login threshold has been reached.
iThemes Security uses two different methods of WordPress brute force protection: local and network.
- Local brute force protection looks only at attempts to access your site. Users are banned per the lockout rules specified locally on your WordPress site.
- Network brute force protection takes it a step further by banning users who have tried to break into other sites from also breaking into yours.