It may be hard to believe, but even in 2016, brute force attacks remain one of the most common attack vectors on the web.
While it’s impossible to guarantee 100% security against brute force attempts, you can get pretty close by using strong passwords, using HTTPS on login pages (also using stronger encryption algorithms), using two-factor authentication, limiting failed login attempts (and banning those IPs with failed login attempts), adding a CAPTCHA field to login pages, using a firewall to filter malicious traffic, etc.
We all know how important strong passwords are. As part of an experiment, Ars Technica reported that a team of hackers was able to crack 90% of a 16,449 password list — all of which were 16-character, cryptographically hashed passwords. In less than one hour. But security experts are adamant that site owners regularly change passwords as well. Not long ago I believed this was unnecessary, but the recent data breach of Dropbox has changed my mind.