How to: Prevent Bruteforce Login Attacks on Your WordPress Installation

We recently suffered a brute force login attack on one of my servers which was causing some sites to be unreachable and the server load was sky-high. After installing a logging script on the server we found out that the problem was caused on one installation of WordPress – hackers were using a script to try and guess the password of the admin account. After identifying the problem we were able to prevent this from continuing but not after some downtime to various websites resulting in a loss of income for my company.

In this post I’m going to talk you through a few methods to prevent this so the same doesn’t happen to you.

Change Admin Username

This is mentioned all the time, but it really is an important step – don’t use “admin” as your admin username, pick something unique for each site. This was the cause of the problem with my site, I had the admin username as admin so this was the main reason for the attack. Because the hacker knows the username is admin, they are half-way to getting the login details and can use a brute-force script to try many different passwords in combination with the username. If the username is something they don’t know, this type of attack is not really possible.

Using .htaccess

If you are using PHP hosting which most WordPress installations will do, you can use a .htpassword file and .htaccess to prevent anyone even loading your wp-login.php file unless they know the username and password to do so – this provides an extra layer of security as there is now two lots of username and passwords to access your WordPress admin area. This is fairly simple to setup, you will need to know the server path to your website which will be something like: home/website

First you need to generate a htpasswd, you can do that on this site. Enter a username, click “Generate Password” and then click “Generate htpassword content” and save the text from the right hand box as a file named .htpasswd ( with no extension ) and upload this to your hosting, outside the public_html directory.


Now you need to add the following to your .htaccess file which points to the location of your htpasswd file :

[php]# Stop Apache from serving .ht* files
<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Private access”
AuthType Basic
require user mysecretuser

Change “~/.htpasswd” to the location of your .htpasswd file and change “mysecretuser” to the username you chose when creating the htpasswd file.

Limit Access to Your Admin Area by IP Address

If you are the only person who needs access to your WordPress admin area and you have a static IP address, you can limit access to yourself only by adding a rule in an .htaccess file within your wp-admin directory. The code to use is :

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x 
deny from all

Just change x.x.x.x for your actual IP address, which you can find out here.

Recommended Plugins

There are a number of plugins you can use which will further enhance your login security, as follows.

Limit Login Attempts

This free plugin will allow you to block IP addresses if they get the password incorrect a number of times, you can set the allowed retries and the amount of time that IP address is blocked for. This is perfect for preventing brute force hacking attempts, you can also log the IP address and receive an email notification when a user is locked out.


Here you can see a log of the attempts that are blocked:


Download Plugin »


Rublon is a free plugin we have reviewed here on WPLift, it works by using “Two factor Authentification” to protect your WordPress login, you can setup trusted devices from which you can access the admin area such as your home PC, Work PC, phone and so on and it will deny logins from any other devices not on your “Trusted” list. It’s a a really solid plugin so highly recommend you check it out.


Download Plugin »

Rename WP-Login.php

Rename wp-login.php is a very light plugin that lets you easily and safely change wp-login.php to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before.

Download Plugin »

All In One WP Security & Firewall

Finally if you are looking for a complete security solution for your WordPress site you should take a look at this one. It has a large amount of features to completely secure yourself against attack :

  • User accounts security
  • User login security
  • User registration security
  • Database Security
  • htaccess and wp-config.php File Backup and Restore
  • Blacklist Functionality
  • Firewall Functionality
  • Brute force login attack prevention
  • WhoIs Lookup
  • Security Scanner
  • Comment SPAM Security
  • Front-end Text Copy Protection


Download Plugin »


There are a few ways to better secure your admin login from hackers – the easiest and most effective is to simply not use “admin” as your username – if you are then a highly recommend you change it now to something unique to your site. If your website is quite popular and you find you are still having problems with brute force attacks then using one of the methods or plugins from above should help even further.



Oliver Dale is the founder of Kooc Media, An Internet Company based in Manchester, UK. I founded WPLift and ThemeFurnace, find out more on my Personal Blog. Thanks!

Related Articles


6 thoughts on “How to: Prevent Bruteforce Login Attacks on Your WordPress Installation”

  1. I don’t use wordpress very often, but a great approach to preventing brute force logins is to delay responses on an exponential basis. For example, the first 3 failed login responses are instantaneous, the next three take 1ms, the next 2 take 2ms, the next one takes 4ms, the next taking 8ms.

    This allows someone who may not remember exactly which password they used to not physically see any delay, but for a bot trying a brute force attack this will significantly delay their execution in a very large magnitude.

    I don’t know if there are any wordpress plugins that do this, but that’s what I’d be looking for.

  2. Are you serious? You haven’t included WordFence in your plugin list?!?!
    Their free plugin has covered me and my clients’ websites from literally hundreds or thousands of brute force attacks!
    I manage a well known astrology site which in the worst days could receive 5 or more BF attacks (totally insane! And all of them using “admin” as login id!) and the free wordfence plugin, since I installed it, has never let anyone in! If you get one plugin for wordpress security, get wordfence!

  3. Hi OLI. ….thanks for step by step tutorial. I have yesterday shifted from HostGator Baby Plan to BusinessPlan, all site is working fine but i am getting this error in my WordPress DashBoard. Sucuri: Data folder does not exists and could not be created. You will need to create this folder manually and give it write permission. I have even uninstalled the plugin and resintall it too. Also i reset the plugin options by clicking the Reset Plugin Options button too. I have also checked the permissions of the folder in my cPanel, permissons are 755, i also tested by changing permissions to 777, but its not working.I am unable to fix this issue. Any help regarding this will be appreciated…….

    Regards: Saif Ullah

Comments are closed.


Create Your Own

Building beautiful WordPress websites has never been easier. Explore the visual drag & drop Theme Builder that does it all, and works on any theme. Coding skills needed: none.