E-Commerce websites are targets for such attacks due to the way the default /admin and /downloader installation because they are easily found. Those locations are then used to launch a brute-force attack where random passwords are tried automatically until one succeeds. This is one of the simplest ways to gain access to a website because it requires no additional skill or resources, only patience.
There are a few things that you do within your Magento installation to protect yourself from a Brute Force attack.
Change the name of the back-end panel:
The default admin is defined in the file app/etc/local.xml under admin → routers → adminhml → args → frontName. Change it into something you can easily remember, but that is difficult to guess by others. You should not use control, admin123, or manage.
Flush your cache in the back end through: System → Cache Management. Or run in SSH: magerun cache:flush
Secure /downloader and /rss:
This version uses the /downloader to install programs via the Magento Connect Manager. This link is a standard Magento URL, making it an easy target for brute-force attacks. Although you will likely never use this folder, its presence is essential for installing (future) patches. So instead of renaming, we recommend installing an IP access control (an IP whitelist). Modify the existing downloader/.htaccess file and add these lines to end:
deny from all
allow from x.x.x.x
Note: x.x.x.x will be your connecting IP.
Don’t use admin account:
Not using the admin as the account name is another thing that helps to stop brute force attacks. People usually use admin, and this is a security issue for your Magento store because it's easy for hackers to guess it. You should consider changing the admin account name to your own account name, nickname or your email address.