Introduction
Today I am going to talk about WordPress security.Β Recently I have been busy fixing hacked WordPress sites so Let me talk about brute force attacks. Brute force attacks are one of the most common threats to WordPress websites. These attacks involve hackers systematically guessing usernames and passwords until they gain access. Since WordPress powers over 40% of websites on the internet, itβs a prime target for cybercriminals. A single successful brute force attack can lead to stolen data, site defacement, or complete takeover.
To protect your WordPress site, you need a solid security strategy. I'll cover what brute force attacks are, how they work, and the best methods to prevent them.
1. What is a Brute Force Attack?
A. How Brute Force Attacks Work
β Attackers use automated bots to repeatedly guess username-password combinations. β They exploit weak passwords and common login credentials. β The attack continues until they successfully log in or get blocked.
B. Types of Brute Force Attacks
β Simple Brute Force Attack: Tries every possible password combination. β Dictionary Attack: Uses a list of common passwords (e.g., βpassword123,β βadmin,β β123456β). β Reverse Brute Force Attack: Uses a single password against many usernames. β Credential Stuffing: Uses leaked username-password pairs from data breaches. I recommend password savers like Last Pass. The reason behind this is I can set a 25 character password and it's different for every site.
<img class="wp-image-987505891 aligncenter size-full" src="https://
C. Why WordPress is a Target
β
WordPressβs popularity makes it attractive to hackers. β
Many users fail to update passwords or security settings. β
Default login pages (e.g., /wp-login.php) are easy to find. Try setting your login page to a childhood memory or something you can remember but no one else will guess.
2. Signs Your WordPress Site is Under a Brute Force Attack
A. Increased Login Attempts
β Multiple failed login attempts from different IPs. β Unusual spikes in server resource usage.
B. Locked Out of WordPress Admin
β If hackers guess your password, you might be locked out of your own site. β Unusual new admin accounts may appear.
C. Server Slowdowns or Downtime
β Continuous login attempts can slow down or crash your site. β High CPU usage in your hosting dashboard could be a red flag.
3. How to Prevent Brute Force Attacks on WordPress
A. Strengthen Your Login Credentials
β Use long, complex passwords with letters, numbers, and symbols. β Avoid common usernames like βadminβ or βwebmasterβ. β Consider using passphrases instead of traditional passwords.
B. Enable Two-Factor Authentication (2FA)
β Requires a second verification step (e.g., SMS or authenticator app). β Even if attackers guess your password, they canβt log in without the second factor. β Plugins like Google Authenticator, Authy, or Wordfence Login Security can help. I cannot stress this enough. Yes, it's a pain to enter these codes everytime you want to login, but it will save you tons of grief down the road. so it's well worth it.
C. Limit Login Attempts
β Install security plugins like Limit Login Attempts Reloaded or WP Cerber. β Restrict failed login attempts to 3-5 per IP before temporary lockout. β Helps prevent bots from repeatedly trying passwords. I have it set to 2.Β You get 2 attempts before you are permanently banned.
D. Change the Default Login URL
β
Move the WordPress login page from /wp-admin or /wp-login.php. β
Plugins like WPS Hide Login or iThemes Security can do this. β
Prevents automated bots from easily finding the login page.Β If you are like me, plugins cause bloat.Β Here is how to code it yourself.
- Add constant to wp-config.php
define('WP_ADMIN_DIR', 'secret-folder');
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);
- Add below filter to functions.php
add_filter('site_url', 'wpadmin_filter', 10, 3);
function wpadmin_filter( $url, $path, $orig_scheme ) {
$old = array( "/(wp-admin)/");
$admin_dir = WP_ADMIN_DIR;
$new = array($admin_dir);
return preg_replace( $old, $new, $url, 1);
}
- Add below line to .htaccess file
RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Easy, huh? just replace secret-folder with anything you want. Remember secret folder is listed twice. These must match in order to work.
E. Use a CAPTCHA on Login Pages
β Google reCAPTCHA blocks bot traffic while allowing real users. β Protects against automated brute force attacks. β Popular plugins: reCaptcha by BestWebSoft, hCaptcha, and Login No Captcha reCAPTCHA.
F. Implement IP Blacklisting & Geoblocking
β Block known malicious IP addresses using Wordfence or Sucuri. β Restrict access from countries where you donβt expect login attempts. β Works well for local businesses that donβt need global access.
G. Enable Multi-User Role Restrictions
β Give users only necessary permissions (avoid giving admin access to everyone). β Require strong passwords for all accounts, not just admins. β Use security monitoring tools to track suspicious user activity.
H. Install a WordPress Security Plugin
β Plugins like Wordfence, Sucuri Security, iThemes Security, and MalCare provide multiple layers of protection. β Features include firewalls, malware scanning, and brute force prevention.
I. Secure Your Hosting & Server
β Use managed WordPress hosting with built-in security (e.g., Kinsta, WP Engine, SiteGround). β Regularly update PHP versions and use SSL encryption. β Set up a web application firewall (WAF) to filter bad traffic.
<img class="wp-image-987505892 aligncenter size-full" src="https://
Β
4. How to Recover from a Brute Force Attack
A. Regain Admin Access
β If locked out, reset the password via phpMyAdmin or FTP. β Check for new suspicious admin users and remove them.
B. Restore a Clean Backup
β If hackers gained access, restore your website from a recent backup. β Ensure backups are stored offsite or on cloud services. β Popular backup plugins: UpdraftPlus, Jetpack Backup, BlogVault.
C. Scan for Malware & Remove Suspicious Files
β Use security plugins to scan for injected malicious code. β Delete unknown scripts from wp-content/uploads, themes, and plugins. β If unsure, consult a WordPress security expert.
5. Long-Term WordPress Security Best Practices
A. Keep WordPress Core, Plugins & Themes Updated
β Regular updates fix vulnerabilities that hackers exploit. β Enable auto-updates for security patches when possible.
B. Use a Firewall & DDoS Protection
β Web Application Firewalls (WAF) block malicious traffic before it reaches your site. β Cloudflare and Sucuri offer real-time threat monitoring and DDoS protection.
C. Schedule Regular Security Audits
β Perform security scans weekly or monthly. β Review login activity and failed login attempts. β Identify vulnerabilities before attackers exploit them.β Buy my website maintenance package and let me deal with it.
Final Thoughts
Brute force attacks remain a major cybersecurity threat, but proactive security measures can significantly reduce risks. By strengthening login credentials, enabling 2FA, limiting login attempts, and using security plugins, you can keep your WordPress site safe from hackers.
Cyber threats are constantly evolving, so maintaining a strong security posture is essential. Start implementing these security strategies today to safeguard your WordPress site from brute force attacks!
π§ Stay Updated
Get the latest web development tips and insights delivered to your inbox.
β Support Our Work
Enjoyed this article? Buy us a coffee to keep the content coming!
βBuy me a coffeeAbout the Author
Brian Keary
Founder & Lead Developer
Brian is the founder of BKThemes with over 20 years of experience in web development. He specializes in WordPress, Shopify, and SEO optimization. A proud alumnus of the University of Wisconsin-Green Bay, Brian has been creating exceptional digital solutions since 2003.
Expertise
Writing since 2003
