What Is Brute Force Attack And How To Protect Your WordPress Site From Brute Force Attacks

What Is a Brute Force Attack on WordPress?

A brute force attack on a WordPress website involves an attempt to gain unauthorized access to the website’s administrator account by systematically trying various username and password combinations. The attacker typically uses automated tools or scripts that rapidly generate and test these combinations until the correct login credentials are discovered.

WordPress, being one of the most popular content management systems (CMS) globally, is a common target for such attacks. Attackers exploit the fact that some website administrators may use weak or easily guessable usernames and passwords, making them vulnerable to such attacks.

During this attack on a WordPress website, the attacker targets the default login page (typically located at “/wp-admin”) and sends login requests using different usernames and passwords. The attack may involve a large number of login attempts, often utilizing botnets or distributed networks of compromised computers to increase the speed and effectiveness of the attack.

Severe negative impacts of Brute force attacks on WordPress websites


  • Unauthorized Access: If this force attack is successful, the attacker gains unauthorized access to the WordPress website’s administrator account. This can lead to various detrimental consequences, including data breaches, website defacement, or the installation of malicious code.
  • Data Loss or Theft: Once an attacker gains control of the administrator account, they may have the ability to delete or modify critical data on the website. They can also steal sensitive information such as user data, customer information, or financial details.
  • Website Downtime: These attacks can generate a large number of login attempts, putting a significant load on the website’s server resources. This can result in server overload, slow website performance, or even complete website downtime, leading to a loss of revenue, decreased user trust, and a negative impact on SEO rankings.
  • Damage to Reputation: If the attack is successful, it can severely damage the reputation of the website owner or organization. Users may lose trust in the website’s security and be hesitant to share personal information or engage with the website in the future.
  • Increased Security Risks: These attacks indicate vulnerabilities in the website’s security, highlighting the need for improved security measures. If one attack is successful, it may encourage further attacks or attract the attention of other malicious actors who attempt similar exploits.
  • Financial Loss: Recovering from a successful brute force attack can be costly. It may involve hiring security experts, implementing stronger security measures, restoring data backups, and potentially facing legal consequences if sensitive user data is compromised.
  • Impact on SEO: If a website is compromised or taken offline due to a successful attack, it can have a negative impact on search engine rankings. Search engines may flag the website as compromised or unreliable, resulting in reduced organic traffic and diminished online visibility.

To mitigate the negative impact of brute force attacks, it is crucial to implement robust security measures, such as strong passwords, limited login attempts, two-factor authentication, and regular website updates. Additionally, monitoring for unusual login activity and employing security plugins or services can help detect and prevent brute-force attacks.

Here’s a step-by-step guide on how to protect your WordPress site from such attacks:

1. Use strong usernames and passwords

Strong Usernames:

  • Avoid using default usernames like “admin” or “administrator” since they are widely known and targeted by attackers.
  • Choose unique usernames that are not easily guessable or associated with your personal information.
  • Combine different character types (lowercase letters, uppercase letters, numbers, and symbols) to make the username more secure.
  • Ensure usernames are reasonably long and not easily linked to publicly available information about you or your website.

Strong Passwords:

  • Create unique and complex passwords for each user account, including the administrator account.
  • Use a combination of uppercase and lowercase letters, numbers, and special characters.
  • Aim for a minimum password length of 12-14 characters.
  • Avoid common or easily guessable passwords such as “123456” or “password.”
  • Consider using a password manager tool to generate and securely store complex passwords.

2. Limit login attempts to prevent brute force attacks

In WordPress, you can limit login attempts by using various plugins or implementing custom code. Here are some methods you can use to restrict the number of failed login attempts:

  • Login Lockdown Plugin: Install and activate a security plugin like “Login Lockdown” or “Loginizer” from the WordPress Plugin Directory. These plugins allow you to set limitations on login attempts and lock out IP addresses after a specified number of failed login attempts within a certain time frame.
  • Jetpack Protect: If you have Jetpack installed on your WordPress website, you can enable the “Protect” module. It includes a feature called “Brute Force Attack Protection,” which monitors and limits login attempts from suspicious sources.
  • Wordfence Security: Wordfence is a popular security plugin that offers comprehensive protection for WordPress sites. It includes a feature called “Login Security” that allows you to set the maximum number of login attempts, lockout duration, and other options to protect against brute force attacks.
  • Custom Code: If you are comfortable with coding, you can implement custom code in your WordPress theme’s functions.php file or create a custom plugin. This code can track login attempts, count failed attempts, and enforce limitations on login retries. Various code snippets and tutorials are available online to help you implement this approach.

When configuring login attempt limitations, it is important to strike a balance between security and convenience. Ensure that the settings you choose do not overly inconvenience legitimate users while providing effective protection against brute force attacks.

3. Change the login URL

Changing the default login URL in WordPress can add an extra layer of security by making it more difficult for attackers to find the login page. Here are the steps to change the login URL:

  • Backup your Website: Before making any changes, it’s always a good practice to create a backup of your WordPress website. This ensures that you can restore your site if anything goes wrong during the process.
  • Install a Plugin: There are several WordPress plugins available that can help you change the login URL easily. One popular option is the “WPS Hide Login” plugin. Install and activate the plugin from the WordPress Plugin Directory.
  • Access Plugin Settings: Once the plugin is activated, go to your WordPress dashboard and navigate to “Settings” -> “General.” You will find a new option called “WPS Hide Login.”
  • Set a New Login URL: In the “WPS Hide Login” settings, you can enter a custom URL slug or path that will replace the default login URL. Choose a unique and memorable URL that is not easily guessable.
  • Save Changes: After setting the new login URL, click the “Save Changes” button to update the settings.
  • Test the New Login URL: Open a new browser tab and enter your new login URL. For example, if you set the custom URL as “my-secret-login,” you would access the login page by visiting “https://www.yourdomain.com/my-secret-login.”

Note: Changing the login URL does not affect the actual login process or security measures. It simply adds an extra layer of obscurity by making the login page less obvious to attackers. However, it is important to remember the custom login URL as you won’t be able to access the login page through the default “/wp-login.php” or “/wp-admin” paths.

By changing the login URL, you make it harder for attackers to find the login page and reduce the likelihood of brute force attacks or unauthorized login attempts on your WordPress website.

4. Implement two-factor authentication (2FA):

Implementing two-factor authentication (2FA) in WordPress adds an additional layer of security by requiring users to provide a second form of verification when logging in. Here’s how you can enable 2FA in WordPress:

  • Install a 2FA Plugin: Start by installing a 2FA plugin from the WordPress Plugin Directory. Some popular options include “Two Factor Authentication” by UpdraftPlus and “Google Authenticator – Two Factor Authentication (2FA)” by miniOrange. Install and activate the plugin of your choice.
  • Configure the Plugin: Once the plugin is activated, navigate to the plugin’s settings page. You may find it under the “Settings” or “Users” menu in your WordPress dashboard, depending on the plugin you installed.
  • Select the Authentication Method: In the plugin settings, you can choose the preferred 2FA method. The most common options are:

    • Time-based One-Time Password (TOTP):
      This method involves generating a unique temporary code using a mobile app like Google Authenticator or Authy. Users scan a QR code or manually enter a secret key into the app to set up the authentication.
    • Email or SMS Verification:
      With this method, a verification code is sent to the user’s registered email address or mobile phone number, which they must enter during the login process.
  • Enable and Customize 2FA: Enable the 2FA feature and configure any additional settings provided by the plugin. You can typically choose whether to enforce 2FA for all users, specific user roles, or allow users to enable it individually. You may also have options to customize the 2FA messages, appearance, or security settings.
  • Test the 2FA Setup: Log out of your WordPress account and attempt to log in again. Follow the steps provided by the 2FA plugin to complete the secondary authentication process. This could involve entering a verification code from an app, receiving and entering a code from email or SMS, or using any other method you chose during setup.

By enabling 2FA, you enhance the security of your WordPress website by requiring users to provide an additional authentication factor beyond their username and password. This significantly reduces the risk of unauthorized access, even if an attacker manages to obtain login credentials through a brute force attack or other means.

5. Use a web application firewall (WAF) :

Implementing a web application firewall (WAF) in WordPress helps protect your website from various types of attacks, including brute force attempts, SQL injections, cross-site scripting (XSS), and more. Here’s how you can set up a WAF in WordPress:

  • Choose a WAF Solution: There are several WAF solutions available for WordPress. Some popular options include Sucuri, Wordfence, and Cloudflare. Evaluate the features, pricing, and reputation of each solution to choose the one that best suits your needs.
  • Sign Up and Configure the WAF: Sign up for an account with your chosen WAF provider and follow their setup instructions. This may involve configuring DNS settings, changing nameservers, or updating DNS records to route traffic through the WAF.
  • Install and Activate the WAF Plugin (if applicable): Some WAF providers offer dedicated WordPress plugins to integrate their services seamlessly. Install and activate the WAF plugin provided by your chosen provider. This plugin will handle the integration and communication between your WordPress site and the WAF service.
  • Customize WAF Settings: Access the WAF settings either through the plugin’s settings page or the provider’s dashboard. Configure the WAF settings based on your security requirements. This may include enabling specific security rules, adjusting firewall sensitivity, enabling rate limiting, and more. Consult the documentation or support resources provided by your WAF provider for guidance on configuring the settings.
  • Test and Monitor: After configuring the WAF, thoroughly test your website’s functionality to ensure that it is not being unnecessarily blocked or affected by the firewall rules. Monitor the WAF logs and any security notifications to stay informed about potential threats or suspicious activity on your website.
  • Regularly Update and Maintain: Keep your WAF plugin and WordPress installation up to date. Regularly check for any updates or patches released by the WAF provider and apply them promptly. Also, stay informed about emerging security threats and adjust your WAF settings accordingly.

A WAF helps protect your WordPress website by filtering and blocking malicious traffic, providing an additional layer of security against common attacks. However, it is important to note that a WAF should be used in conjunction with other security measures like strong passwords, regular backups, and plugin/theme updates for comprehensive website security.

6. Keep your WordPress site up to date to protect your site from brute force attacks

Keeping your WordPress site up to date is crucial for maintaining its security, stability, and compatibility with the latest features and enhancements. Here are the steps to keep your WordPress site up to date:

  • Update WordPress Core: When a new version of WordPress is released, you will see an update notification in your WordPress dashboard. Click on the “Please update now” message or navigate to the “Dashboard” -> “Updates” page. From there, you can update WordPress core by clicking the “Update Now” button.
  • Update Themes: Regularly update your installed themes to ensure they are compatible with the latest version of WordPress and to take advantage of any bug fixes, security patches, or new features. Navigate to “Appearance” -> “Themes” in your WordPress dashboard. If there are any theme updates available, you will see an update notification. Simply click on the “Update Now” button next to the theme.
  • Update Plugins: Similarly, keep your plugins up to date by visiting the “Plugins” page in your WordPress dashboard. Look for any plugins with available updates, indicated by an update notification. Select the plugins you want to update and click the “Update” button.
  • Consider Plugin and Theme Compatibility: Before updating WordPress, themes, or plugins, it’s important to ensure compatibility. Some older themes or plugins may not be compatible with the latest version of WordPress, which could cause issues. Check the plugin or theme documentation, contact the developer, or review user reviews and ratings to confirm compatibility.
  • Backup Your Site: Before performing any updates, it’s strongly recommended to create a backup of your WordPress site. This way, if any issues arise during the update process, you can restore your site to its previous working state.
  • Monitor for Security Updates: Stay informed about security vulnerabilities and updates related to WordPress, themes, and plugins. Subscribe to reliable WordPress news sources, security blogs, or newsletters to receive updates on security patches and vulnerabilities. Timely updates help protect your site against potential security risks.

Remember, keeping your WordPress site up to date is an ongoing process. Regularly check for updates and apply them promptly to maintain a secure and optimized website.

7. Disabling Directory Browsing

Disabling directory browsing in WordPress is an essential security measure to prevent unauthorized access to the directories and files on your website. By default, WordPress allows directory browsing, which means anyone can access the contents of your directories if they know the URL structure. To disable directory browsing, follow these steps:

  • Access your website’s root directory: Use an FTP client or a file manager provided by your hosting provider to connect to your website’s server. Navigate to the root directory where WordPress is installed.
  • Locate the .htaccess file: In the root directory, look for a file named “.htaccess”. If you can’t find it, make sure that your FTP client or file manager is configured to display hidden files.
  • Edit the .htaccess file: Download a copy of the .htaccess file to your computer as a backup. Open the file using a text editor.
  • Add code to disable directory browsing: Insert the following code at the bottom of the .htaccess file:

Options –Indexes

# Disable directory browsing

  • Save and upload the modified .htaccess file: Save the changes to the .htaccess file and upload it back to the root directory of your website, replacing the existing file.
  • Test directory browsing: Open a web browser and try accessing a directory on your website by typing the directory’s URL directly (e.g., https://www.yourdomain.com/wp-content/uploads/). If directory browsing is disabled successfully, you should see a “403 Forbidden” error instead of a list of files and directories.

By disabling directory browsing, you enhance the security of your WordPress website by preventing unauthorized access to the contents of your directories. This helps protect sensitive information, such as plugin files, uploads, and other website assets, from being exposed to potential attackers.

8. Disable PHP File Execution in Specific WordPress Folders

To disable PHP file execution in specific WordPress folders, you can use the .htaccess file located in the folder you want to protect. Follow these steps:

  • Access the folder: Use an FTP client or a file manager provided by your hosting provider to navigate to the specific folder where you want to disable PHP file execution.
  • Create or edit the .htaccess file: Look for an existing .htaccess file in the folder. If one doesn’t exist, create a new plain text file and name it “.htaccess” (include the dot at the beginning). If there is an existing .htaccess file, open it using a text editor.
  • Add code to disable PHP execution: Insert the following code into the .htaccess file: 

<Files “*.php”>

Deny from all


  • Save the .htaccess file: Save the changes to the .htaccess file. 
  • Test PHP file execution: To verify that PHP file execution is disabled in the specific folder, try accessing a PHP file within that folder from a web browser. If PHP execution is disabled correctly, you should see a “403 Forbidden” error.

By disabling PHP file execution in specific WordPress folders, you add an extra layer of security by preventing the execution of PHP files within those folders. This can help mitigate the risk of unauthorized access or exploitation of PHP files that should not be directly accessible.

Remember, while these steps will significantly enhance your site’s security, it’s essential to stay vigilant and regularly monitor your WordPress site for any potential vulnerabilities or signs of compromise.

Recent Posts