AI-Powered Brute Force Attacks Are Here. Is Your Login Ready?

65 million brute force attempts get blocked every single day just on sites using Wordfence. That is 2,800 malicious login attempts per second. And now attackers have AI that can crack over half of common passwords in under a minute.

AI Changed the Game

Traditional brute force attacks work through exhaustion. Try every possible password combination until something works. Modern attacks are smarter. AI models trained on leaked password databases can predict what passwords people actually use.

PassGAN is a neural network designed specifically for password cracking. It learned patterns from millions of leaked passwords. Which character substitutions people use. Which keyboard patterns are common. Which words get combined with numbers. Instead of brute forcing randomly, it targets human behavior.

The numbers stopped me cold when I first saw them. PassGAN cracks 51% of common passwords in under a minute. Within a month, it gets 81%. It generates up to 73% more unique password guesses than traditional cracking tools. This is not a marginal improvement. It is a fundamental shift in what password cracking can accomplish.

The Scale of Credential Exposure

In June 2025, researchers discovered the largest data exposure in history. Roughly 16 billion login credentials compiled from infostealer malware, phishing kits, and prior breaches. Another dataset called Synthient aggregated 2 billion unique email addresses from credential-stuffing lists found across malicious sources.

This is the raw material AI attacks feed on. The more leaked passwords a model trains on, the better it gets at predicting new ones. And the pool of training data keeps growing.

According to Verizon's Data Breach Investigations Report, 88% of breaches in 2024 and 2025 used stolen credentials. The attack vector is not sophisticated zero-day exploits. It is guessing passwords that people reused from previous breaches. AI just makes the guessing much more efficient.

WordPress Is the Primary Target

WordPress powers over 40% of the web. Every WordPress site has the same login URLs by default. That makes it the most efficient target for automated attacks.

The attack volume is staggering. WordPress sites face 90,000 attacks per minute. 97% are automated. A WordPress site gets attacked every 32 minutes on average. Around 13,000 WordPress sites are hacked every day.

The vulnerability landscape is getting worse, not better. In 2024, the WordPress ecosystem saw 7,966 new vulnerabilities, a 34% increase over 2023. CVE disclosures in 2025 hit 48,185, and the 2026 forecast projects 55,000. Most of these vulnerabilities are in plugins, and 43% can be exploited without authentication.

96% of WordPress site owners surveyed by Melapress reported experiencing security incidents. This is not a hypothetical threat. It is happening constantly.

The XML-RPC Amplification Problem

Most WordPress security plugins focus on protecting /wp-login.php. But there is another attack vector that often goes unprotected: XML-RPC.

The xmlrpc.php endpoint supports a method called system.multicall that allows attackers to bundle hundreds of password guesses into a single HTTP request. One request, hundreds of login attempts. This bypasses security plugins that only count individual login attempts.

XML-RPC also lacks the built-in rate limiting that the regular login page has. Many sites block or limit wp-login.php but leave xmlrpc.php wide open. Attackers know this and target it specifically.

If you are not using XML-RPC for anything, the safest option is to disable it entirely. If you need it for Jetpack or the WordPress mobile app, at least restrict the system.multicall method.

CAPTCHAs No Longer Work

For years, CAPTCHA was the standard defense against automated attacks. Make the bot prove it is human, and you stop the attack. That assumption is now broken.

AI bots solve CAPTCHAs with 85% to 100% accuracy. Humans only manage 50% to 85%. Advanced models now hit 97% accuracy. OpenAI's ChatGPT agent bypassed "I am not a robot" CAPTCHAs in 2026, raising concerns about the entire category of protection.

Over 500 breached companies relied on CAPTCHAs as their primary defense. Bots used AI-enabled bypass tools like OpenBullet to get through. If CAPTCHA is your only protection, you are effectively unprotected.

Modern bot detection has moved to behavioral analysis, TLS fingerprinting, JavaScript challenges, and IP reputation scoring. But the arms race continues. Attackers use stealth browsers, behavioral mimicry with randomized clicks and scrolls, residential proxy rotation to mask IP addresses, and fingerprint spoofing to defeat these defenses.

What Actually Protects Your Login

The good news is that effective protection exists. It just requires moving beyond passwords and CAPTCHAs.

Two-Factor Authentication

Two-factor authentication remains the single most effective protection against credential attacks. Even if an attacker has your password, they cannot log in without the second factor.

TOTP-based 2FA using apps like Google Authenticator, 1Password, or Authy is the standard approach. Hardware security keys (WebAuthn, FIDO2) are even stronger but require more setup.

The key is enforcing 2FA for all privileged users. At minimum, administrators and editors should be required to use it. Offer backup codes for emergency access, and rate-limit 2FA attempts to prevent attackers from trying to brute-force the second factor.

Login Attempt Limits

Limiting failed login attempts with progressive lockouts stops brute force attacks before they can exhaust their password list. 3 to 5 failed attempts before a lockout is a reasonable threshold. Extend the lockout duration after repeated violations.

Make sure your limits apply to XML-RPC as well as the regular login page. And whitelist your own IP addresses so you do not accidentally lock yourself out during testing.

Custom Login URL

Changing your login URL from /wp-login.php to something unique eliminates automated attacks that target default paths. Bots scanning for WordPress sites will hit a 404 instead of your login form.

This is security through obscurity, which means it should not be your only defense. But it is an effective layer that stops a significant volume of attacks before they start.

Web Application Firewall

A WAF that uses behavioral analysis can detect and block attack patterns in real time. Modern WAFs incorporate AI themselves, using algorithms to identify malicious activity based on patterns rather than just signatures.

Cloudflare's WAF, for example, includes a specific rule (WP0018) that blocks WordPress XML-RPC brute force amplification attacks. If you are using Cloudflare, make sure this rule is enabled.

Password Requirements That Actually Help

AI can crack anything under 8 characters almost instantly. Even 12-character passwords are vulnerable if they follow predictable patterns. The threshold for safety is now 14 to 18 characters.

But length is not enough. Patterns like keyboard walks (qwerty, asdfgh), common substitutions (P@ssw0rd), and dictionary words with numbers are exactly what AI models are trained to predict. A 20-character password made of dictionary words is weaker than a 14-character random string.

The practical solution is password managers. Generate random passwords for every account. The password manager remembers them so you do not have to. 94% of passwords are weak or reused, according to recent studies. A password manager eliminates both problems.

Consider implementing Have I Been Pwned integration to check new passwords against breach databases. If a user tries to set a password that has appeared in a breach, require them to choose a different one.

The Future Is Passwordless

The ultimate solution to password attacks is eliminating passwords entirely. Passkeys, supported by Apple, Google, and Microsoft, use cryptographic authentication tied to your device. There is no password to steal or guess.

Over 50% of iOS device requests now use Private Access Tokens, which provide cryptographic proof of legitimacy issued by the device itself. This signals a shift toward hardware-level authentication that AI cannot easily defeat.

WordPress support for passkeys is still emerging, but it is coming. In the meantime, the combination of strong passwords, two-factor authentication, and login protection provides effective defense against current AI-powered attacks.

Do Not Wait for the Breach

AI powered attacks are not theoretical. They are happening right now, 90,000 times per minute against WordPress sites. The defenses are straightforward: 2FA, login limits, custom URLs, and keeping everything updated.

In my experience, the difference between sites that get breached and sites that do not is not sophisticated security measures. It is basic hygiene done consistently. Two factor authentication stops almost all credential attacks cold. Login limits prevent brute forcing. A custom URL eliminates automated scans entirely.

That is why we built these features into our security plugin. Check your login page today. Make sure you have more than just a password between attackers and your admin dashboard. The bots are not waiting while you think about it.