Securing WordPress Websites Against Brute Force Attacks

With hackers, intruders, and spammers ever-ready to attack, security is a top concern for WordPress sites. Bruteforcing through your login credentials is the most tried out attack by hackers these days. I cannot tell you how many times I have scrolled through my website logs, finding failed brute force login attempts.

Brute force attacks are an everyday reality of the online world. But why these attacks continue to happen despite all the security measures?

In this article, I am going to explain how to secure a WordPress website against brute force attacks. I will share simple ways which prevent a hacker from cracking your username and password.

Do you want to save your site from getting hacked by a Brute Force attack? If so, read ahead and find out some simple to use measures to keep that from happening.

Brute Force Attacks

Picture this — Have you ever tried to guess the password of an old computer, which you have forgotten? And then you did end up accessing it by simple guesswork? Probably on more than one occasion, right? Because, I have. That’s what a Brute Force attacker does! They have a big database of common usernames and password, they try a combination of them on your site in hopes of getting access. But, the real deal is that it takes place on a much larger scale and is a bit more organised than we think.

In a brute force attack, hackers try to guess the login credentials of your WordPress website. With accurate automated tools and manual guesswork, they attempt to guess your username and password. Without a protection in place, it becomes relatively easy for brute forcing tools to crash down your website. Even if they are not able to break in, they can put enough server load that your site can slow down.

WordPress has a password-based authentication and such web applications are more prone to these threats. Your login page is an easy target for hackers because they know that a WordPress dashboard can be accessed by this route i.e. and at Domain/wp-login.php.

Obviously, this post isn’t about securing the admin area but, you should probably change that route to something unique. How? I recommend reading my previous post about it.

Strong Login Credentials

Before I discuss the preventative measures for brute force attacks, it is fundamentally important to understand what does secure login credentials mean? Your first correspondence with the WordPress installation is through a login page where you enter your username and a password.

Strategizing usernames and passwords can readily protect you from brute force attacks. A strong password should be at least ten characters long, that has uppercase and lowercase letters, numbers, a few characters (@#!$%^&*) and it must not contain your name or any nouns in it. You can use services like 1Password and LastPass to manage strong passwords and to easily change them whenever you want.

Likewise, you should never use the username “admin”.  Approximately, 87% of the brute force attempts on WordPress websites takes place using this default username. A strong password and a unique username along with certain preventive measures like a unique login URL can protect your website from being brute forced.

If you’ve read through the first part of this article, then give yourself a pat on the back. Now that you have a better understanding of brute force attacks let’s jump to what actions you can take to minimize this threat?

Website Lockdown

Locking down your website for repetitive login attempts is an incredible solution to prevent brute force attacks. Unfortunately, the default WordPress security suite lacks this feature, but it can be easily integrated with third-party plugins. A lockdown plugin tracks all those IPs which try to login with multiple combinations. These users are banned, and your site stays safe from getting hacked.

I use the iThemes Security plugin for this feature. It not only locks down the website but also blocks a particular IP address for trying out wrong credentials more than 3 times. Other options which you must consider are Login LockDown and Login Security Solution. Both offer great solutions to protect your website’s login pages.

Two Factor Authentication

Two Factor Authentication (2FA) seeks two different credentials to complete the login process. This makes it even more difficult for hackers to access your website through a brute force attack. With 2FA security, a user logs in with not just their username and password, but also with a unique secondary code that is generated and sent to a device (typically a smartphone). Once again, WordPress lacks this default functionality, but several plugins exist out there.

WPLift runs a 2FA security and uses the Google Authenticator plugin for it. It gets configured through an app which you install on your smartphone. Upon authentication, the plugin generates a QR code which can be scanned with your mobile device. It also creates a secret code which you can enter manually.

Apart from this, there are several other authentication plugins for it like Stealth Login PageDuo Two-Factor Authentication, and the Clef Two-Factor Authentication plugin.

Login via Email

Another feasible approach to prevent brute force attacks is using email to log in. Here, instead of a username, you enter an email address. This is a much secure approach because usernames are easier to guess but email IDs are not.

By default, every user provides a valid email address at the time of WordPress installation. But with plugins, like WP Email Login you can login with your email ID. Just hit the activate button and let the plugin do its job. Now the WordPress login page you to enter your email address instead of the username to log in.

Adding a login feature with email not only protects your website but, also makes it is easy to remember in case you like me you have a habit of forgetting your usernames.

Wrapping It Up!

Brute Force attacks are easy to manage if handled wisely. Get started with keeping strong passwords and complex usernames. Check your email address through Have I Been Pwned? Database, if your password was leaked in some database breach, you should probably change that password everywhere.

Then implement all the methods which I have shared a little while ago. 2FA is the safest of the all so get it done first.If you want to want to learn more about securing your website, check out my previous articles of the series.

What steps do you take to beef up the login security of your site? Tell us in the comments below.

Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.

Ahmad Awais

Ahmad Awais

I am a senior Full Stack WordPress Developer, WP Core Contributor, Front-end Fanatic and an accidental writer. I love to write, talk, build, and share everything about WordPress. You can reach out to me at Twitter @MrAhmadAwais.

Related Articles



Create Your Own

Building beautiful WordPress websites has never been easier. Explore the visual drag & drop Theme Builder that does it all, and works on any theme. Coding skills needed: none.