WPLift is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

How to: Prevent Bruteforce Login Attacks on Your WordPress Installation

Last Updated on June 12th, 2020

Published on December 16th, 2014

Share This Article

We recently suffered a brute force login attack on one of my servers which was causing some sites to be unreachable and the server load was sky-high. After installing a logging script on the server we found out that the problem was caused on one installation of WordPress – hackers were using a script to try and guess the password of the admin account. After identifying the problem we were able to prevent this from continuing but not after some downtime to various websites resulting in a loss of income for my company.

In this post I’m going to talk you through a few methods to prevent this so the same doesn’t happen to you.

Change Admin Username

This is mentioned all the time, but it really is an important step – don’t use “admin” as your admin username, pick something unique for each site. This was the cause of the problem with my site, I had the admin username as admin so this was the main reason for the attack. Because the hacker knows the username is admin, they are half-way to getting the login details and can use a brute-force script to try many different passwords in combination with the username. If the username is something they don’t know, this type of attack is not really possible.

Using .htaccess

If you are using PHP hosting which most WordPress installations will do, you can use a .htpassword file and .htaccess to prevent anyone even loading your wp-login.php file unless they know the username and password to do so – this provides an extra layer of security as there is now two lots of username and passwords to access your WordPress admin area. This is fairly simple to setup, you will need to know the server path to your website which will be something like: home/website

First you need to generate a htpasswd, you can do that on this site. Enter a username, click “Generate Password” and then click “Generate htpassword content” and save the text from the right hand box as a file named .htpasswd ( with no extension ) and upload this to your hosting, outside the public_html directory.


Now you need to add the following to your .htaccess file which points to the location of your htpasswd file :

[php]# Stop Apache from serving .ht* files
<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Private access”
AuthType Basic
require user mysecretuser

Change “~/.htpasswd” to the location of your .htpasswd file and change “mysecretuser” to the username you chose when creating the htpasswd file.

Article Continues Below

Limit Access to Your Admin Area by IP Address

If you are the only person who needs access to your WordPress admin area and you have a static IP address, you can limit access to yourself only by adding a rule in an .htaccess file within your wp-admin directory. The code to use is :

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x 
deny from all

Just change x.x.x.x for your actual IP address, which you can find out here.

Recommended Plugins

There are a number of plugins you can use which will further enhance your login security, as follows.

Limit Login Attempts

This free plugin will allow you to block IP addresses if they get the password incorrect a number of times, you can set the allowed retries and the amount of time that IP address is blocked for. This is perfect for preventing brute force hacking attempts, you can also log the IP address and receive an email notification when a user is locked out.


Here you can see a log of the attempts that are blocked:


Download Plugin »


Rublon is a free plugin we have reviewed here on WPLift, it works by using “Two factor Authentification” to protect your WordPress login, you can setup trusted devices from which you can access the admin area such as your home PC, Work PC, phone and so on and it will deny logins from any other devices not on your “Trusted” list. It’s a a really solid plugin so highly recommend you check it out.


Article Continues Below

Download Plugin »

Rename WP-Login.php

Rename wp-login.php is a very light plugin that lets you easily and safely change wp-login.php to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before.

Download Plugin »

All In One WP Security & Firewall

Finally if you are looking for a complete security solution for your WordPress site you should take a look at this one. It has a large amount of features to completely secure yourself against attack :

  • User accounts security
  • User login security
  • User registration security
  • Database Security
  • htaccess and wp-config.php File Backup and Restore
  • Blacklist Functionality
  • Firewall Functionality
  • Brute force login attack prevention
  • WhoIs Lookup
  • Security Scanner
  • Comment SPAM Security
  • Front-end Text Copy Protection


Download Plugin »


There are a few ways to better secure your admin login from hackers – the easiest and most effective is to simply not use “admin” as your username – if you are then a highly recommend you change it now to something unique to your site. If your website is quite popular and you find you are still having problems with brute force attacks then using one of the methods or plugins from above should help even further.

Stay informed on WordPress

Every Friday you’ll receive news, tutorials, reviews, and great deals from the WordPress space.

Invalid email address
Oliver Dale is the founder of Kooc Media, An Internet Company based in Manchester, UK. I founded WPLift in 2010.