How to Stop WordPress Brute Force Attacks

stop wordpress brute force attacks

Do you wish to prevent brute-force attacks on your WordPress site? These attacks can cause your website to slow down, become unreachable, or even install malware by cracking your passwords. We’ll show you how to prevent brute force attacks on your WordPress site in this article.

What is a WordPress brute-force attack?

Brute Force Attack is a hacking approach that relies on trial and error to gain access to a website, network, or computer system. Hackers submit a high number of requests to the target system using automated tools. This software tries to guess the information needed to obtain access with each request, such as passwords or pin numbers. These tools can also hide their operations by using numerous IP addresses and locations, making it more difficult for the targeted system to detect and block them.

Hackers can gain access to your website’s admin section if a brute force attempt is successful. They can put backdoors on your site, implant malware, take user information, and wipe everything. Even unsuccessful brute force attacks can cause chaos by flooding your WordPress hosting servers with requests, slowing them down, or even crashing them.

With that in mind, let’s look at how to defend your WordPress site against brute force attacks.

Steps to protect your WordPress website against brute-force attacks

Use strong login credentials

wordpress strong login credentials

The keys to gaining access to your WordPress site are your credentials. For all of your accounts, you must use unique, strong usernames and passwords. A strong password is made up of letters, numbers, and special characters. Not only for your WordPress user accounts, but also for FTP, your web hosting control panel, and your WordPress database, you should use strong passwords.

The majority of newcomers wonder how they will remember all of these different passwords. You don’t have to, though. There are a number of great password management software available that will securely save your passwords and fill them in for you automatically.

Hide WordPress login page

hide worpress login page

Hide your website’s login section. This is one of the most effective ways to secure it. A WordPress web site’s default login URLs are /wp-login.php, /login, /wp-admin, /admin, and so on. It’s a simple guess. Hackers will have an easier time accessing your login page as a result of this. Hackers are unlikely to spend time attempting to figure out where your login page is hidden if it is masked. Instead, they’ll shift their focus to the next target.

Two-factor Authentication

The addition of two-factor authentication to your WordPress login screen offers an extra layer of protection. To access the WordPress admin area, users will need to use their phones to produce a one-time passcode, as well as their login credentials.

Even if hackers crack your WordPress password, adding two-factor authentication makes it more difficult for them to obtain access.

Limit login attempts

Limiting the number of login attempts made by an IP address to your website is another approach to defend the login page against brute-force assaults. Limit login attempts and Loginizer are two popular plugins for this purpose. You can also block an IP address if it makes too many login attempts in a short amount of time.

Implement HTTP authentication

HTTP authentication can add another degree of security to your WordPress login page. HTTP authentication is a method of preventing hackers from gaining access to your login page.

When you visit a website that uses HTTP authentication, a sign-in box displays at the top of the page, requesting your credentials. Your HTTP credential differs from your login credential. A plugin can be used to implement HTTP authentication on your website. You’ll be prompted to create an HTTP credential during the plugin’s installation. In order to access the login page, you must enter this credential. With the aid of the HTTP auth plugin, you may add HTTP authentication to your website.

Disable PHP File Execution in Specific WordPress Folders

avoid wordpress brute force attack

Hackers might want to put a PHP script in your WordPress directories and run it. Because WordPress is mostly written in PHP, you won’t be able to disable it across all WordPress folders. There are, however, some folders that do not require PHP scripts. /wp-content/uploads, for example, is the location of your WordPress uploads folder.

In the uploads folder, you can safely deactivate PHP execution, which is commonly used by hackers to hide backdoor programs. To begin, open a text editor on your computer, such as Notepad, and paste the following code:

<Files *.php>
deny from all
</Files>

Save this file as .htaccess and upload it to your website’s /wp-content/uploads/ directories using an FTP client.

Install WordPress Updates

Some brute force attacks intentionally target known vulnerabilities in earlier WordPress versions, popular WordPress plugins, or themes. The core of WordPress and the majority of popular WordPress plugins are open sources, and vulnerabilities are frequently patched with updates. However, if you do not install updates, your website will be vulnerable to old threats.

To check for available updates, navigate to the Dashboard » Updates page in the WordPress admin area. This page will display all WordPress core, plugin, and theme updates.

Final Thoughts

One of the most common attacks on WordPress sites is brute force attacks. Because website owners are prone to utilizing weak credentials, it has a high success rate.

However, if you follow the methods outlined in this post, we are confident that you will be able to prevent hackers from brute-forcing their way into your website.

However, there are numerous forms of attacks that hackers can use against WordPress sites. As a result, we propose that you secure your site not only from brute force attacks but also from all other types of hack attacks


If you use one of our managed cloud VPS hosting plans, you can always ask our system administrators to secure your WordPress website, free of charge. They are available 24/7/365. Please share this article with your friends on social media, or if you have a question regarding this article, please comment below.

Leave a Comment