how to protect wordpress website from brute force attacks

How to Protect Your WordPress Website from Brute Force Attacks

Internet & Security

How to Protect Your WordPress Website from Brute Force Attacks

Unlike hacks that focus on vulnerabilities in software, brute force attacks consist of attackers submitting many username/password combinations with the hope of eventually guessing your login details correctly. As the attackers keep trying over and over again, you may find your site having poor performance and in general misbehaving. If an attacker eventually gets the right login details, they can do whatever they want with your website including blocking you out, stealing vital information, blackmail and so on.

On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software. In order to defend your website against this kind of attack, you need to be very security conscious. Here are some steps you can take:

1. Don’t Make It Easy

A brute-force attacker will try different combinations for your username and password. However, there are several possible combinations and it may take forever to guess correctly, so most attackers will try common usernames and passwords. For example, don’t use “admin” as your username. In the past, WordPress made “admin” the default username and many people did not bother to change it. If your username is “admin”, you need to change it as your website is currently an easy target for attackers. You can follow the steps below to change your username:

  1. Login to your WordPress account using your current username
  2. Visit the Account Settings page and enter the new username you want under Username
  3. You will then see a new box Confirm Username. Enter the new username again
  4. In the next step, you will be able to choose whether you want your blog address to match your new username
  5. Finally, read through the information presented to you and click Save Username
wordpress brute force attacks - username security

Also, don’t make it easy for attackers to guess your password – don’t use easy to guess passwords like “123456” or “password” or your name. You can use password generators to generate strong, hard to crack passwords. If you wish to create a password yourself, make sure to avoid these common mistakes:

  1. Using your real name, your login username, company name, or name of your website
  2. Using a word from a dictionary in any language, or a slang
  3. Using a short password (you should use at least 10 characters)
  4. Any numeric-only or alphabetic-only password (a mixture of both is best)

2. Install Updates

Some brute-force attackers target vulnerabilities in older versions of WordPress. In order to avoid a breach of your WordPress website, you need to install updates regularly. You can do that by going to the Dashboard » Updates page which will show you all the available updates. It is possible to update WordPress core, your plugins and any themes you may have installed.

wordpress brute force attacks - updates

3. Hide Your WordPress Login Area

A common way that attackers use to get into your website or make it crash is to keep sending requests to your /wp-login.php file over and over until they get in or the server dies. This file is what handles all login requests (legitimate or not) and should be kept hidden to avoid brute-force attacks. Below are some plugins you can install to help you hide the login URL so that attackers won’t have access to it:

Wordpress WordFence dashboard- brute force attacks


WordFence works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. It helps with brute force protection by hiding your login URL, two-factor authentication, malware scan among other features. It is also easy to set up.

WPS Hide Login- wordpress brute force attacks

WPS Hide Login

WPS Hide Login is a very light plugin that lets you easily and safely change the URL of the login page to anything you want. It doesn’t literally rename or change the files in core, it simply intercepts login requests and it works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the new URL you set. Deactivating this plugin brings your site back exactly to the state it was before.

MalCare Plugin - WordPress security


MalCare is an all-in-one WordPress security protection plugin. It offers protection against different forms of attack and keeps malicious traffic away. It does not just protect against brute force attacks, but also offers other features such as malware scanning, malicious code removal, smart web firewall, one-click hardening, etc.

4. Activate Two Factor Authentication (2FA)

In general, two-factor authentication (also known as 2FA) is a method of confirming a user’s identity by using a combination of two different factors: 1. something they know (for example, their password) and 2. something they have (their mobile device).

In WordPress, if you have two-factor authentication enabled for your website, then you will need your phone to generate a one-time passcode along with your login credentials to access the WordPress admin area. 

You can enable two-factor authentication by installing the plugin Two Factor. It allows you to set up different kinds of authentication as shown in the image below.

Wordpress security two factor authentication

5. Limit Login Attempts

In order to make it more difficult for brute-force attackers to get your correct username/password combination, you should also limit the number of login attempts allowed from a particular IP address. What this does is it takes note of the IP address of the person trying to log in, then after a specified number of login attempts (e.g. after 3 attempts), if the person is unable to login successfully, they would not be allowed to login again for a period of time (e.g. one hour). To limit the number of login attempts for your WordPress website, you can install the plugin Login Lockdown. With a seriously restricted number of attempts, attackers will need a lot of luck to guess your login credentials correctly.

6. Use VPS Hosting

(Virtual Private Server) VPS hosting provides more security and control than the more common shared hosting. On a VPS server, there is a software called a hypervisor that acts as a security gate, protecting it against malware and malicious attacks. Switching to a VPS hosting is another way you can protect your WordPress website from brute-force and malicious attackers. We offer Managed VPS hosting for our clients and migrate your website for free. If you’d like to get more information, please contact us.


In summary, there are different ways to protect your WordPress website from brute force attacks, many of which can be achieved by merely installing plugins. You can explore the different plugins mentioned above and maximise their features to better protect your website. Remember to stay security conscious.