Perhaps one of the easiest attacks to perform on a WordPress based website is a brute force attack. Sucuri took the time to create a few different honeypots and monitored WP-Login.php to track the various IP addresses as well as the passwords used to break into the site. Their list of passwords attempted is no surprise to me as I’ve seen the same results over the course of a year via the Limit Logins plugin. It all comes back to the use of a strong password. A strong password would look something like this, RCu7R*0#zm. Unfortunately, many forms don’t accept certain characters in passwords so at the very least, add numbers to your password if you can only use numbers and letters.
The reason why this is one of the easiest attacks to perform is because by default, WordPress allows an unlimited amount of tries when logging into the backend. I understand that it’s the users responsibility to use a strong password but at the same time, I feel as though the software could help out by only allowing 3 login tries per IP address, very similar to how the Limit Login attempts plugin works. After 3 failed attempts, the IP address would be locked out for a certain amount of time. The only thing I can figure is this particular enhancement would cause some site owners more grief than peace of mind. Unlimited login attempts has been apart of WordPress since I started using it in 2007 and I don’t see it changing anytime soon, especially since the Limit Login attempts plugin exists and solves the problem so well.