Stopping Brute Force Attacks

Malicious people generally use automated tools to brute-force multiple websites at once, many of them called “script kiddies” just copy or download scripts from the Internet without even knowing what they do and execute them against your site, for example, to get a little bit of more information so they can launch a direct attack. Among the information they can find is a list of valid usernames from existing accounts, so in some cases to know that an account actually exists they do not need to send a password.

Although the reason may be different, this is the first thing that comes to my head when I see login attempts with empty passwords; maybe the attacker forgot to include the password in the script that is using to automate the login, or something along the lines.

The plugin does not blocks any HTTP request by itself, not automatically nor per admin request; you would benefit more from a full featured web application firewall like CloudProxy [1] or check one of these free plugins [2].

[1] https://sucuri.net/website-firewall/
[2] https://www.ads-software.com/plugins/search.php?q=block+ip

That sounds reasonable, trying to get valid usernames so that’s why there is no password on the log.

There is a plugin called Brute Force Login Protection which claims that it can block an IP after a specified number of attempts within a certain time. Do you think this might help?

Well, I installed that plugin and I think it worked! It notified me that it blocked one IP. I had gotten a couple notifications from the Sucuri plugin of failed login attempts, but apparently when it became a brute force attempt the other plugin stopped it.