How to Protect Your WordPress Website from Brute Force Attacks

Protect Your WordPress Blog from Brute Force Attacks

Every person who has ever used WordPress is in risk of brute force attacks that occur every now and then. In fact, the number of brute force attacks is increasing like never before, and they are unlikely to stop anywhere in the near future. What does this mean for you, as an end user? Do you have to quit blogging on the WordPress platform and move over to another CMS option? Of course not! It simply means you need a defense system to protect your WordPress-based website. With just a few precautions, your dashboard will become a real bulletproof shield, that not even a super hacker would be able to force his way in.

What can you do against brute force attacks?

Since brute force attacks are pretty mainstream, it makes sense that only the official WordPress Codex page would have suggestions and helpful practices for you to follow. I recommend that you make yourself familiar with their list of suggestions and take them into consideration for your blog’s protection. WordPress Codex offers both user-based protections as well as recommendations for your web hosting server settings.

What can you do about brute force attacks?

There’s quite a lot you can do to set up a safe WordPress blog. There are WordPress plugins that can help you shield your blog, as well as good practices that you can engage in to make sure that even if you are targeted by brute force attacks, you will be protected.

1. Do not use ‘admin’ as a username

Perhaps, this should go without saying, but it has to be mentioned nevertheless. Never use ‘admin’ as a username, when installing WordPress on your server. It’s tempting to do so, and it used to be somewhat popular practice. Luckily, not anymore. When installing WordPress, use any other username as your admin login (apart from your domain name or website title, of course).

If you already use “admin”n as a username on your blog, simply edit it. It doesn’t matter to what, but you need to replace it as soon as possible. Regardless of what the “Edit User” section says, you can easily change usernames of your both admins and users. Either you can use a plugin for this, or you can update it in your WordPress database (which is a lot easier than you imagine).

2. Use really strong passwords

I feel that this one has been milled over so many times, it’s like telling you not to touch unprotected electricity wires. Don’t use the word “password” as your password, nor something you consider more secure, like “password123”. If you have the choice, use the option to “Generate Random Password” that WordPress always offer upon installation. Yes, I know you won’t be able to remember it, but neither would the hacker. Moreover, install the Force Strong Password plugin, so anyone who registers for your blog as a subscriber is also secured, not just you as the admin. Even if you follow the best security practices, that doesn’t mean everyone else does.

3. Transfer your login away from /wp-admin

Did you know that you can modify your URL in various ways, but like nearly everything else in WordPress, it all boils down to either using a special plugin or manually updating the PHP code.

By default, we all log into WordPress at When it comes to brute force attacks, however, this is their primary target. Hackers can’t try and force their way in through the gate if there is no gate, right? By transferring your admin login URL away from /wp-admin, you’re basically hiding it from the invaders.

There are two great WordPress plugins for this – Loginizer and WPS Hide Login. While Loginizer has much more functionality than merely relocating the login URL, WPS Hide Login does only that one thing, however, it does it perfectly well.

Moreover, it’s obviously not a good idea to use /login or /admin or anything of that nature, as your new “secure” login URL. Consider something that could be uncommon for your blog, or perhaps something like /employees or /staff. While those are well-known words, the brute force bots aren’t likely to be programmed to target them.

Move your login away from /wp-admin manually

If you’re the type of user who prefers to lower the plugin usage to the lowest minimum possible, you can edit the URL in a good old-fashioned manner, manually. It’s a bit more complex, but it’s not actually that difficult. I’ll break the task down for you here. You’ll need to be fairly confident editing PHP files such as wp-config.php and your .htaccess file or even know, where they are on your server.

There are multiple ways to achieve this goal, here is perhaps the most popular and useful method.

4. Use Two-Factor Authentication

Two-factor authentication (2FA) is just as important these days as having a good strong password. Essentially, 2FA boils down to you verifying that it’s you every time you are trying to log in by inserting in a unique code or clicking a unique link that is emailed to you. Either by email or text. This secondary factor (the username/password being the first) confirms that you are… well, you.

Two of the most prominent security plugins have inbuilt authenticator plugins in their functionality, both of which are highly advised. If you’re a premium WordFence member, you can get authentication through their plugin. UpdraftPlus has 2 login extensions: Keyy, a password-less authenticator (like Clef, if you ever used it) and the aptly called Two Factor Authentication. Moreover, the Loginizer plugin I mentioned previously also offers 2FA functionally via apps like Authy and the Google Authenticator (unfortunately, for premium users only).

5. Limit login attempts

The reason why brute force attacks are so powerful against WordPress is that login attempts are unrestricted by default. You never get locked out by trying an incorrect password way too many times. That’s why a brute force attack is a powerful tool for gaining access — if the hacker bangs his head against your wall enough times. Eventually, he will knock a hole in it. By restricting the number of attempts anyone can try and log in, you dramatically stave off the brunt of the assault. This isn’t a bullet-proof technique, but you significantly reduce the odds of your blog being compromised and contaminated with malicious software.

The most famous plugin for this task is the Limit Login Attempts, and you also can get the same functionality through WordFence or Loginizer. These are so simple to set up; there’s no reason not to have them installed and activated.

6. Delete unused WordPress installations

Pretty much every webmaster is guilty of this. How many times did it happen? You have installed WordPress on our web hosting server just to play around with, test a plugin or a WordPress theme, and then never returned to that blog again. Maybe it sits at a really odd, obscured subdomain of your primary domain (, and you don’t even remember it’s there. My point is, it still sits there. The fact that you’re not working with it doesn’t mean it’s not an active WordPress installation, prone to brute force attacks. On top of that, it’s most likely unforgivably outdated.

Brute-Force attackers are seeking those forsaken databases. Usually, they lack safety plugins, the passwords are generic, and usernames haven’t been changed from “admin.” While they don’t have any real value on their own, they provide hackers with access to your hosting account and server login or credit card information. So next time when you want to test a plugin or a theme, delete it immediately afterward. Otherwise, you’re sort of drawing a target sign on your own back.

7. Security WordPress plugins

Bearing all that in mind, you should also be running some all-in-one WordPress security plugin to ensure complete security. These should cover a lot of various aspects depending on the plugin itself and the purpose of your website, but in most cases, such a plugin will provide you with malware scans, web application firewalls, login protection, 2FA, file repairs, regular backups, comment spam filters, IP whitelists or blacklists, and more. We are lucky to have access to some really marvelous free options out there (which are more than enough for most blogs), as well as some absolutely extraordinary paid options.

  1. Loginizer
  2. All-in-One WP Security & Firewall
  3. MalCare Security
  4. Jetpack
  5. Sucuri
  6. WordFence

Be safe on the web

With the rise of brute force attacks and just general bad practices on the internet, you can’t be too careful. Any of the WordPress plugins listed above are capable of protecting you from hackers especially combined with the best security practices mentioned above (and the additional ones listed in the WordPress Codex website). Keep an eye on your security, and those brute force attacks won’t even be able to dent your blog’s fortress.

Let me know, what do you use to safeguard your WordPress blog from the increasing threat of brute force attacks?

Lorelei has been an online entrepreneur, marketer and influencer since 2006. Her greatest passion lies in WordPress, which is why 10 years ago she switched to being a full-time blogger and never looked back ever since. With so many years of experience behind her back, she is an expert in copywriting, SEO, blogging, marketing and making money online. She loves sharing her knowledge and helping people achieve their dream of becoming online entrepreneurs.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.