How to Protect from WordPress Brute Force Attacks (Best Practices)

How to Protect from WordPress Brute Force Attacks (Best Practices). Nowadays, preventing a website has become more troublesome than building one. If you have a WordPress site, your attack probability is high because of its popularity. Nearly 16.1% of the WordPress security issues are because of Brute Force Attacks. Is this your first time hearing about Brute Force Attacks? Looking to know more about them, you’re in the right place. In this article, I will explain what a Brute Force Attack is and how to prevent them from your WordPress site.

Let’s continue with How to Protect from WordPress Brute Force Attacks (Best Practices).

If you are already aware of brute force attack and how it works, you can directly skip to the later part, where I discuss the ways to prevent them. Now without further ado, let’s get started.

What is a Brute Force Attack?

Brute Force Attack is a cyber attack where the attacker tries to access your site or find your account credentials. The attacker tries different usernames and passwords in sequential order until he finds the right one. It is an old and simple yet effective way of hacking. The first brute force attack can be traced back to 1977. It is a trial and error method, where the bot or automation software tries hundred of variations per second. Like continuously banging the door until it bursts open.

How does It Affect Your Business?

The tricky thing about brute force attacks is that it affects your business or site whether the attack was successful or not. Here is how it affects your business –

  • If the attack was a success –  The attacker gets access to your site. Thus your site is no more yours. High Damage – he can run malicious software, steal your customer data, scam your customers, and so on.
  • If the attack was a failure – The continuous login request from the attackers will consume your website resources and slow down your site. This will lead to performance issues and reputation among the users.

Types Of Brute Force Attacks:

There are many types of brute force attacks.  In WordPress, we can classify them into three types as follow.

i) Vertical Brute Force Attack 

Here attacker or a malicious user will make multiple login attempts with different credentials on a single website. In a distributed vertical brute force attack, each attacker will target a single site and make multiple attempts. Both types of vertical attacks are easy to detect and block

i) Vertical Brute Force Attack 

In Horizontal cases, instead of multiple attempts by a single user on a single site, the attacker use brute force against more than one site, as one attempt per site. Makes the horizontal Brute force attack hard to detect. Because in a distributed Horizontal brute force attack,  multiple users make single attempts against one website.

iii) Botnet Attacks 

A botnet is nothing but an automated brute force attack. It means hundreds or thousands of login combinations per second. Botnets attacks require more resources to execute, but it’s one of the effective brute forcing ways.  So Botnets can be both horizontal and vertical.

How Is WordPress Vulnerable To Brute Force Attack?

As an open source Content Management Software (CMS) WordPress’s source code and operations are open to the public. Truth is that WordPress Vulnerabilities are universal and apply to every site that uses WordPress. As for brute force attacks, WordPress comes with the following security flaws:

  • By default, WordPress doesn’t limit the number of login attempts.
  • Old WordPress versions don’t notify you of new login. 
  • WordPress uses ‘admin’ as the default username. That is an easy hack. 
  • Login Url or page is always the same.
  • It doesn’t have installed firewall protection. 

So How to Protect from WordPress Brute Force Attacks? Our Best Practices below.

How To Protect Your WordPress Site From Brute Force Attacks?

Firstly Brute force attacks take advantage of the weak website security instead of focusing on the vulnerabilities of your software. You can protect your WordPress from Brute Force attacks by following these security tips.

1. Strong And Unique Credentials

As a brute force attack is a trial and error method, using strong and unique passwords is the best way to protect your site. Having 123456 as a password is like giving your site to the attacker. The username and password should be complex and hard to find or match by any sequential search.  81% of the internet hacks occur because of weak or stolen passwords. Here are some things you should follow while creating strong credentials for your WordPress or eCommerce store.

  • Change your default username from Admin.
  • Use numbers, words, capital letters, and special characters (symbols) in your password. 
  • The passwords should be minimum of 6 -15 characters in length. 
  • Don’t use your name, phone number, or anything related to you as a password.
  • Avoid using a word from a dictionary in any language. 
  • Don’t use the same password for multiple sites.

You can use password generation plugins and password manager apps that securely store and automatically fill your passwords.

2. Limit Number of Login Attempts

Even if you have a strong password, it can be found by continuous brute force attacks. And brute force attack can also consume a large among of your site resources and affect your site performance. This is when WordPress login attempts limiting plugin help you. The user will be temporarily blocked after limited attempts (generally 3). You can set less or high lockout time as per your wish. After the lockout time, the user can try again. Using a Captcha or ReCaptcha can also protect your site from Botnet attacks.

You can limit WordPress login using the plugin, Limit Login Attempts Reloaded, above video, explains the steps in detail. 

3. Implement Two Factor Authentication

Two Factor Authentication is an additional security layer that protects you from losing your website. There are two versions of Two Factor Authentication – security questions and OTP or Code sent to your mobile phone or emails. It is better to use the second method as they don’t fall victim to trial and error. Thus a hacker will need the unique automatically generated code sent to your phone to access your site even though he found the passwords.

You can try Google Authenticator to add Two Factor verifications to your website. Two Factor is also an amazing plugin that provides 2FA for WP administrators, contributors, etc.

4. Protect WordPress Admin Directory

You can also enable password protection for the WordPress Admin Directory as another layer of protection. Most hackers try to access the admin dashboard because it’s where you publish your posts and manage your website. The below YouTube video guides you on how to protect your admin directory in WordPress.

If the hosting platform uses cPanel, you can password protect your admin directory using the hosting dashboard. You can also manually do it,  using a .htpasswd file and a new .htaccess file.

5. Disable Directory Browsing

When a user visits a website, the site server delivers an index file to the visitor browser. But if the browser or server can access the index file, the visitor can see the files directory of the website. The below screenshot shows an example of directory browsing- 

The attackers can use this information to know your site plugins and elements you’re using in your site and plan a brute force attack. You can fix this by adding the following code at the bottom of your WordPress .htaccess file using an FTP Client

					Options -Indexes


Here are the steps to disable directory browsing:

  1. Download the .htacccess file using an FTP client or Site hosting Control Panel.
  2. Open the file using notepad and paste the above code at bottom of the existing script. That is, below # END WordPress
  3. Now save the file and upload it to the WordPress site. Now your site directory is not visible in public.

6. Disable PHP File Execution

Some directories of WordPress are editable and writable. Well  it assists the developer in adding new themes or uploading new features. However, hackers may misuse this to access the backdoor of your site. To avoid it, you should disable PHP file execution on your website.

As WordPress has originally written on PHP, you can not disable it. However, you can disable PHP execution in certain folders. Especially the upload folder is a common place for hackers to hide malware or attacks.

deny from all


It’s simple to disable PHP File Execution. Copy the above code and save it as a .htaccess file, then upload it to the uploads folder on your website using the FTP client.

7. Install Firewall Protection

Limited login attempts will block only the particular IP address. Remember brute force attacks can still use your resources from other IPs. Attackers can use VPN or multiple bots to access your site. 39% of website traffics is from bots. You can’t block all the bots because there are good and bad bots. Firewall protection can help you to detect and block bad bots and malicious IPs. A firewall protects your site against brute force attacks and also from any other form of cyber attack.

8. Install Security Plugins

There are many security plugins available for WordPress (both free and paid). If you’re serious about your website, it is better to have a reliable security plugin. With security plugins they provide additional barrier to your website against brute force attacks, DDoS attacks, Phishing attacks, Malware, and any other known WordPress vulnerabilities.

Some security plugins for you are Wordfence and Sucuri if you need firewall protection. Sucuri comes with firewall protection but is not free. And All In One WP Security and Firewall is free and has additional security features. Consider our WordPress Security Plugin for SSO

9. Secure Your User Accounts

Another important thing most site owners don’t do is, manage their users, writers, editors’ accounts, etc. Though most times admin account is the major target of the attackers still, other users’ accounts are not safe.  By getting access to your editor and writer accounts, the attackers install new plugins or scam your customers in your name. 

So it is your duty as the site owner to ask the other users to create strong and unique login credentials. And you should delete unused or old accounts of your users so that hackers wouldn’t take advantage of them. Here is the best cloud security plugin to secure your user’s account. 

10. Update and Backup your WordPress site

General security tip to be safe online is always to keep your software up-to-date. As per stats, over a quarter of WordPress users are at risk of using an old version (4.9). Updating your WordPress alone is not enough. You should also use the latest version of plugins, themes any other third party software you use. There is an option to set WordPress to automatic update saving lots of time. You can also use a few plugins that check and update your themes, third party tools, extensions, etc.

The next best thing to do is to have a site back up. Because no protection or security is impenetrable, it is best to have your WordPress site backed up. Restoring your site quickly as possible saves you a lot of data loss and reputation loss. The best way is to back up your WordPress site in any cloud Storage platform like Google Drive, One Drive, etc. Once you restore your website, make sure to fix the loophole in your site. Many security plugins restore and fix your website.

Other Alternatives For Protecting WordPress

Alright, now you know what a brute force attack is and how to protect your WordPress site from it. Now, I just want to share some alternatives and things you should notice while protecting your WordPress site against brute force attacks.

1.Many people recommend you use a delay strategy to prevent from brute force attack.  That is, increasing the sleep time between each wrong attempt. However, this function can slow your server. 

2. Password protecting the admin directory (discussed in point 4) can sometimes affect the dynamic aspect of your website. But not everything, so check whether it involves any dynamic aspect or design of your website before adopting it. 

3. Another highly recommended prevention method is hiding or changing the login URL. However, it comes with a high risk. If you lose the new login link, it is nearly impossible to recover your site. 

4. Disable XML – RPC in your WordPress site. Originally it was an alternative way to access your admin dashboard, but it’s not active in many themes or plugins. So it is better if you disable it.  The easy way to do it is by downloading and activating the disable XML – RPC plugin from WordPress plugins.  

WordPress WP SAML Single Sign On -SSO Security Plugin

You should Improve your WordPress site security even further  with our WordPress SSO plugin. 

Thank you for reading How to Protect from WordPress Brute Force Attacks (Best Practices).

How to Protect from WordPress Brute Force Attacks (Best Practices) Conclusion

Never underestimate brute force attacks or your need for security. Though WordPress is the leading platform to start your business, it still has various vulnerabilities. It is better to prevent than cure. I hope this article has helped you to fix your site problems. If you want to know more about other WordPress vulnerabilities and ways to fix them, please leave your doubts and questions in the comment section below.

Also check out more WordPress content here

Avatar for Bala V M
Bala V M

I am a self-motivated Article writer who wishes to share my knowledge with others on Linux, WordPress and Windows security. I have been working in Technical Server Niche for the past two years.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x