Security Blog
Security Blog
Posted By Gregory

Brute-force, DoS, and DDoS attacks – what’s the difference?

How are they dangerous? What tools or WordPress plugins can mitigate them? What are chances that we can do that successfully? Let’s make things clear with these intruder activities which we see every day on any website.


A brute-force attack is a trial and error method used by hackers to guess credentials or encrypted data such as login, passwords or encryption keys, through exhaustive effort (using brute force) with the hope of eventually guessing correctly. The brute-force attack is still one of the most popular password cracking methods for hacking WordPress today.

A Denial-of-Service (DoS) attack is an attack meant to shut down a website, making it inaccessible to its intended users by flooding it with useless traffic (junk requests). Sometimes DoS attacks are used for destroying computer defense systems.

A DDoS attack is a short for Distributed DoS attack. Such attacks are performed by flooding the targeted website with useless traffic from multiple devices or a botnet. A botnet is a network of computers infected with malicious software (malware) without the user’s knowledge, organized into a group and controlled by cyber criminals. Modern botnets can contain tens of thousand of compromised mobile devices or desktop computers. Due to their nature, modern DDoS attacks are costly and requires a lot of resources. Usually, that means you have a strong enemy which have enough gray money to order this kind of attack. Very often performing DDoS attacks are ordered by unscrupulous competitors or political opponents.

So, what’s the difference?

Technically they look different but from a website owner’s point of view, the difference is just in the goal of an attack.

Both, DoS and DDoS attacks have the same goal. And this goal is to push down the victim, the targeted website or web server and make a profit from that. Sometimes the DDoS attack is performing to destroy defense system and obtain administrative access.

The goal of doing brute-force attacks is to obtain admin access to the targeted website to perform some illegal activity intruder/hacker wants to do. Their typical activities are:

  • Stealing personal data from a customer database
  • Redirecting legitimate users to fake websites to steal their personal data there
  • Installing backdoors and trojans on the web server for using it in a long run
  • Installing malicious software to infect admin and customer computers
  • Adding links to infected websites to website content

Do these attacks realy affect WordPress?

By default, WordPress allows unlimited login attempts through the login form, XML-RPC or by sending special authentication cookies. This allows passwords to be cracked with relative ease via mentioned above brute-force attack.

How to mitigate these attacks

Both, brute-force and DoS attacks can be successfully mitigated with security software installed on a website. In both cases, you don’t need to be a nerd and can get that protection fo free.

  1. Brute-force attacks against WordPress can be successfully mitigated with the free WP Cerber plugin. Among other security features, it has protection for XML-RPC and REST API interfaces.
  2. DoS attacks can be mitigated with special web server settings. You can’t do that with just the plugin. One of the best approaches is using NGINX rate limiting rules. Check out my recommendations: Turn your WordPress into Fort Knox.

Unfortunately, DDoS attacks cannot be mitigated on a web server level or just with some WordPress plugin. DDoS attacks can be successfully mitigated only with a special hardware installed on hosting provider network. Because of mitigating of DDoS attacks involves a lot of resources, it cost money and provided as a service from hosting providers on a subscription basis. Unlike brute-force and DoS attacks, there is no guarantee that all DDoS attacks will be successfully mitigated. Everything depends on how powerful an attack is and how powerful anti-DDoS system provided by hosting provider, and what amount of a network bandwidth hosting provider has.

One of the most affordable solutions for protecting WordPress from DDoS attacks is using Cloudflare service. But there are some disadvantages. Those guys will have control over all your DNS records, incoming and outgoing traffic from your website because all traffic will go through Cloudflare servers. Some users reported that Cloudflare even had issues with owners being blocked out of their websites. So, if you have no issues with DDoS, like many of us, there is no a reason to add one extra layer that can generate additional pain in the neck.

Catching up an intruder

WordPress IP address information

The plugin retrieves WHOIS information for an intruder IP address in the WordPress dashboard

You can easily identify a physical source of an attack – a computer, a mobile device, etc. If you have WP Cerber plugin installed, check out Know more about intruder’s IP. The most disappointing thing is that the vast majority of those attacks cannot be traced back to the real performer or the master. Every attempt to trace them back ends up with a set of infected home PC or mobile devices that are used as puppets, intermediate points for an attack.

Perhaps, one day, there will not be an anonymous access to the Internet and any person in the World will be responsible for all traffic outgoing from their connected to the Internet devices, but for the time being, all websites are under pressure of hackers activity any kind.

Last posts from WordPress security blog


I’m a self-employed developer who builds software products and services using WordPress for more that seven years. I enjoy partnering with others for interesting and challenging projects. If you’re interested in, feel free to contact me.

View Comments
There are currently no comments.