How long do brute force attacks typically last?

Why would there be a ‘standard’ time? They’re not the sort of people who will stick to any standards or conventions. They know that if they sustain their attack – and with improvement in technology – they know they will get through eventually. Be sure to take regular backups – the frequency of which will depend on the purpose and update frequency of your site.

I had a sustained BF attack, on one of the sites I maintain, that lasted for over a month. It was a site that got successfully hacked when it was on Joomla about 5 years ago. After it was hacked it was resurrected as a WordPress site. The attacks continued so I assume the URL is on the dark web somewhere.

I considered changing the URL but as it’s the name of an international travel author that would have been difficult.

Malicious activity, until recently, peaked and troughed. It was only when I started banning suspicious IPs for month, and those who try to use a non-existent user-id permanently, that the malicious activity started to show a significant decline.

I’ll second the idea that using strict blocking rules seems to really help with this sort of thing. Banning suspicious IPs for a month, or even permanently if they’re from a hacker filled country such as Ukraine, is effective. I’ve had a few DOS attacks over the years, the ultimate solution was getting help from a good hosting provider, who ran a script that harvested the DOS IP numbers and created a block list at server level. They’ve got some other things at the server level I don’t understand, but are there watching for DOS attacks and ready to clamp down.

Another key thing for us has been making sure what does happen during a blocked attempt, whether they get a 404 message or the Wordfence blocked message, is that the blocking messages take as little bandwidth as possible, for example having no PHP, just flat html text.

MTN

thank you. I am using permanent blocking rules because this is a local plant nursery – they don’t need traffic from other counties at all. The site does extremely well in google and recently set the Google rules to ‘US only’ to hopefully cut back on exposure. I also installed GEO IT to hopefully block other countries from the back end but am going through a learning curve and am a little confused about how that works.

The attack has stopped. It was going too fast to block all the IPs it was cycling through, but I plan on looking into WF pro for country blocking. I recently migrated this site from Joomla to WordPress so am figuring it all out.

In this case they were getting a 404 since they were looking for the login page which wasn’t there. I’ll look into what they got for the disabled xmlrpc.php.

dday61 a month attack would make me nuts. You are correct, they will eventually get through but I’ll do what I can. I back up weekly.

Hi @karyls
There is no definite time that a brute force attack could take, to learn more about this type of attacks I suggest reading this article from our learning center and I recommend also adjusting these options using Wordfence to protect your website from these attacks.

Thanks.