How to Protect WordPress From Brute Force Attacks

Protect WordPress From Brute Force Attacks

WordPress is one of the most popular platforms for creating blogs and websites. There are now millions of WordPress-based websites on the Internet. So, hackers always try to find different ways to hack WordPress-based websites. Back in 2012, a botnet had been found that used brute force attacks on WordPress and Joomla websites. The botnet contained more than 90,000 different IP addresses so it was hard to protect the WordPress website only by blocking login attempts. After that, there were several other attempts from hackers to attack WordPress blogs using Bruteforce attacks.

Hackers use Bruteforce attacks to crack login passwords. But a Brute force attack can also take your website down if the server is weak. If you are a WordPress user, you should always try to keep your blog safe. Adding protection against Brute force on the login form is a must. In this post, I am listing a few ways to protect your WordPress-based website from Brute Force attacks.

Best Managed WordPress Hosting

WPEngine is the best and most secure managed hosting provider

Protect WordPress From Brute Force Attacks

In this article, I will tell you several ways to protect a WordPress website from Brute Force attacks.

Hide WordPress Login Page

One of the most notable ways is to hide the login area. Most Bruteforce botnets use automated ways to find the WordPress login URL. If you stop using the default one, it will be hard to find what URL to brute force. Here are the default WordPress login pages.

  • /wp-login.php
  • /login
  • /wp-admin
  • /admin

WPS Hide Login (Free) and Malcare (Paid) are some plugins that can be used to protect long pages.

Stop Using username “admin”

This is the most common mistake WordPress users do. They use common user names such as admin, administrator, root, or website name. Websites having these usernames are most likely to be hacked. Automated scripts search for long pages and start attacking by the default admin username. If you are using a username as admin, change it now.

Implement 2-factor Authentication

Just like in many mobile apps and websites, you can also add 2-factor authentication in your WordPress blog to add an extra layer of security. For adding 2-factor authentication on your blog, you can either use a Two-Factor plugin to get an Email-based authentication code or Google Authenticator plugin for using Google Authenticator-based OTP login.

Use Cloud-based Security

There are some cloud-based security services that protect websites from Bruteforce attacks and botnets. These solutions offer website antivirus and firewalls to keep your websites safe from hackers. SUCURI is the most popular and recommended. Cloudflare also provides a web applications firewall in the Pro plan.

Use Strong Password

This is another common mistake generally users do. Never use a weak, short, and easy-to-guess password. A strong password contains characters in upper case, lower case, numbers, and special characters. Password length must also be more than 10 characters. In a Brute force attack, attackers try all common passwords. So, having an easy-to-guess password is risky. If you cannot remember hard passwords, start using a password manager. But never compromise with the password strength.

Limit Login attempts

You should also limit the number of login attempts. If a person enters the wrong password multiple times and exceeds the login attempts, the IP will be blocked. Anyone from that IP will not be able to use the login form for the next few hours. Limiting login attempts works well if someone is trying from a single IP but it fails if a botnet is using thousands of IP addresses to perform Briteforce attach. Still, you need to implement it. Read how to limit login attempts in WordPress.

Password Protect WP-Admin

This is also a nice way you can use to prevent hackers from your website. For this, you can either use .htpasswds file method or Cpanel. If you want to use .htpasswds method, try this generator. If you are planning to do it with Cpanel, login in to Cpanel and see the security section.

Use Some popular security plugins

There are some nice WordPress security plugins available that can help you in making your WordPress secure. These plugins are Wordfence Security, BulletProof Security, and Better WP Security. These plugins protect WordPress from different kinds of vulnerabilities and attacks.

Backup your Website

At last, keep the backup of your website. Although we have added many things to protect WordPress, there is a possibility to hack your website. In case your website has been hacked, you can restore your website from a backup.

Wrap Up

You should try everything you can do to prevent hackers from hacking your WordPress. You never know when you become a victim of hackers. So, try all steps mentioned above to protect the WordPress website. Never compromise the safety and security of your website. Even after you are following all the ways to keep your website safe, you should take a regular backup of your blog.


Deepanker Verma is an experienced WordPress developer who has been working on WordPress for more than 12 years. On TheWPGuides, he writes about WordPress, WordPress development, and WordPress plugins.

Similar Articles


Leave a comment

Comment policy: We love comments and appreciate the time that readers spend to share ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.

© 2022 The WP Guides Developed By Deepanker