There is a widespread belief that there are brute force attacks against WordPress admin passwords going on. Just one plugin, Limit Login Attempts Reloaded, which is focused on preventing those attacks, has 2+ million installs. Despite the widespread belief, those are not happening. That is something that security providers falsely claiming they are happening sometimes admit to. We recently found that to be the case with the developers of Limit Login Attempts Reloaded.

In the first sentence of the description of their plugin on the WordPress Plugin Directory, they link the words “brute force attacks” to a post on their website. The first sentence of that post accurately describes what a brute force attack is: “Brute force attacks are relentless and automated attempts to crack passwords or encryption keys by systematically trying all possible combinations until the correct one is found.” Later in the post, they admit what is really happening with malicious login attempts, dictionary attacks: “The most popular method is a dictionary attack, which involves using precompiled dictionaries of commonly used passwords. These dictionaries may include words from various languages, character substitutions, and common phrases.” [Read more]