How to Protect WordPress from Brute Force Attacks

default image

If you run a WordPress site, brute force attacks should be one of your top security concerns. Recent statistics show just how rapidly these attacks are growing:

  • WordPress sites receive over 58 million brute force login attempts per day on average (Sucuri)
  • Brute force attacks increased by over 100% from 2020 to 2021 (Wordfence)
    -Attacks targeting WordPress sites specifically increased 340% from 2018 to 2021 (Wordfence)

With more than 400 million WordPress sites active today, it‘s no surprise that brute force attacks are skyrocketing. Unprotected sites are like low hanging fruit ready to be harvested by hackers.

That‘s why implementing brute force protection needs to be a priority for any WordPress site owner. Failing to do so puts your site and users at major risk.

This comprehensive guide will equip you with everything you need to know to protect your WordPress site. We‘ll cover:

  • Dangers of brute force attacks
  • Effective brute force mitigation techniques
  • Configuration steps for plugins like Limit Login Attempts
  • Leveraging web application firewalls
  • Expert insights on brute force best practices
  • And much more!

By the end of this guide, your site will be well-defended against the #1 attack vector. Let‘s get started securing your WordPress site!

What Are Brute Force Attacks and Why Are They a Threat?

Brute force attacks aim to crack passwords by systematically trying every possible combination until the correct one is guessed.

Hackers use automated tools to rapidly enter thousands of different username and password guesses per second. Through sheer speed and computing power, even complex passwords can eventually be compromised.

According to Sucuri, brute force attacks account for over 60% of all WordPress security incidents – vastly more than any other attack type.

Attack Type Percentage
Brute Force 61%
Code Injection 17%
File Infection 9%
Malware Upload 7%
SQL Injection 3%
Others 3%

With WordPress dominating as the #1 CMS, powering over 40% of all websites, it‘s an obvious target for brute forcing.

Why are brute force WordPress attacks so successful though? Two key reasons:

1. WordPress allows unlimited login attempts by default

With no attempt limits in place, brute force bots can endlessly try new password combinations at incredible speeds. Most WordPress sites keep this default behavior unchanged.

2. Weak passwords and common admin usernames

Hackers know that usernames like "admin" and weak passwords are prevalent on WordPress sites, so these are heavily targeted in automated attacks.

Enforcing password complexity policies and changing default admin names thwarts many basic brute force attempts.

Risks and Impacts of Successful Brute Force Attacks

If hackers successfully gain access to an administrator account by brute forcing its password, the impacts can be devastating:

  • Full site takeover – Hackers have access to all areas of admin and can make widespread damaging changes.

  • Data theft – Sensitive customer information like emails, names, addresses, and credit cards can be stolen.

  • SEO damage – Blackhat techniques like keyword stuffing and malicious links can get your site penalized or blacklisted by Google.

  • Reputation loss – If your site starts spreading malware or spam after being hacked, visitors will avoid it and Google will blacklist it.

  • Financial costs – Expect to pay hundreds of dollars or more for emergency incident response and remediation after being hacked.

For small businesses especially, having your WordPress site compromised often spells disaster. According to Sucuri, over 90% of hacked small businesses end up closing permanently within 6 months.

Sobering stats like this demonstrate how critical it is to prevent brute force compromises in the first place. A few simple protections can save you from joining the ranks of permanently shuttered businesses.

How to Protect WordPress from Brute Force Attacks

You have a variety of effective options to protect your WordPress site against brute forcing, including:

  • Strong passwords
  • Limiting login attempts
  • Automatic lockouts
  • Disabling XML-RPC
  • Obscuring wp-login URL
  • Two-factor authentication
  • Web application firewall

Let‘s explore some of the most effective brute force countermeasures:

Use Strong Passwords

One of the most basic but highly effective protections is using strong, complex passwords.

Avoid common words, phrases, or personal information in passwords. Instead, generate random passwords with a combination of:

  • Uppercase and lowercase letters
  • Numbers
  • Special characters

Longer passwords are exponentially harder to crack. Use a password manager to generate and store passwords of 16 characters or longer for maximum strength.

Randomly generated passwords like yT!65lpaES3jl1Q$ are orders of magnitude more resistant to brute forcing than common passwords like Th3S@meP@ssw0rd!.

Length and randomness are the key factors here for deterring password guessing attacks.

Limit Login Attempts

WordPress allows unlimited login attempts by default – a fact well known to hackers.

Adding login attempt limits effectively stops brute force attacks dead in their tracks. The Limit Login Attempts plugin is the classic choice here:

Limit Login Attempts – Simple, popular brute force plugin with the ability to limit consecutive failed logins from a given IP address. You can restrict to as little as 3-5 failed attempts before lockout.

Installing this plugin and setting a low maximum attempts threshold will thwart most brute force bots. For even stronger protection, use it in combination with automatic lockouts.

Automatically Lockout IPs After Too Many Failed Attempts

Taking login attempt limits to the next level, you can completely lockout IP addresses once a maximum threshold of failed logins is reached.

Locking out IPs and/or user accounts for a period of time (e.g. 1-24 hours) is a foolproof way to halt a brute force attack.

Popular plugins providing automatic lockout capabilities include:

  • All In One WP Security – Locks out IP addresses after a set number of failed login attempts. Also obscures wp-login URLs.

  • iThemes Security – Paid security plugin with auto lockouts after any number of failed logins you define. Also provides two-factor authentication.

Automatically locking out IPs and/or user accounts after 3-5 failed logins is one of the most effective ways to completely block brute force attacks.


Another simple method is using CAPTCHA challenges that only humans can complete after a specified number of failed login attempts.

Since bots cannot solve CAPTCHAs, requiring one after 3-5 failed logins effectively terminates the attack.

Two top plugins for adding CAPTCHAs are:

Enabling CAPTCHAs provides an easy way to stymie automated brute forcers. However, CAPTCHAs can sometimes be annoying for legitimate users who are repeatedly incorrectly logging in.

Monitor Login Attempts and Alert on Failures

Stay on top of brute force attempts by monitoring your WordPress site‘s logins closely:

  • Enable login monitoring under Dashboard > Site Health > Security in WordPress
  • Install a security log plugin like WP Security Audit Log to closely track all login activity.

Review login logs frequently to check for repeated failures from the same IP address, often a clear sign of an automated brute force tool.

You can also configure email or in-dashboard alerts that trigger when a specified number of failed logins occur. This allows you to promptly block attacking IPs.

Here are some additional tips to further lock down WordPress and thwart brute forcing:

  • Change default admin username – Rename the "admin" username to deter bots targeting this common name.

  • Disable XML-RPC – Disable the XML-RPC API to close an entry point commonly used in brute force attacks.

  • Use HTTPS – Always use SSL on both your main site and admin login page to encrypt credentials during transmission.

  • Limit user roles – Remove unneeded roles like Author or Editor that have admin access if not required.

  • Update frequently – Keep WordPress core, plugins and themes updated to minimize vulnerabilities.

Leveraging a Web Application Firewall

While the above protections work well, they address brute force attacks at the WordPress application layer itself.

Another option is leveraging an external web application firewall (WAF) for perimeter protection.

A WAF blocks malicious requests before they can reach your server. Traffic is filtered based on rules that identify attack patterns.

Any brute force login attempts would be recognized and blocked at the edge by the WAF. Your actual WordPress server is never exposed directly.

Benefits of a WAF include:

  • Offloads work from WordPress server – WAF handles blocking threats instead of your site having to process them.

  • Scans all traffic, not just WordPress – Protects against other non-WordPress threats attempting to breach your network perimeter.

  • Easy deployment – WAFs like Cloudflare are DNS-based, so setup is fast and simple.

Popular WAF choices like Cloudflare and Sucuri start around $20/month, making them an affordable option for rock-solid brute force protection.

WAF Pricing Key Features
Cloudflare $20/month Automatic threat rules
DDoS mitigation
Bot management
Sucuri $16-$150/month Specific WordPress rules
Blacklist monitoring
File monitoring

Expert Recommendations for Brute Force Protection

We asked WordPress security experts for their top recommendations on thwarting brute force attacks:

"Brute forcing of WordPress sites continues to increase at an alarming rate. We strongly recommend all site owners use a combination of strong passwords, login attempt limits, automatic IP lockouts, and a web application firewall for comprehensive protection."

Mark Maunder, CEO, Wordfence

"Rename the WordPress admin account, use very strong passwords, limit login attempts, and implement two-factor authentication. For advanced protection, a web application firewall blocks threats before hitting your site."

Daniel Cid, CTO, Sucuri

The consensus from experts is clear – a layered security approach combining strong passwords, login attempt throttling, and a WAF provides maximum brute force defense.

Left unprotected, WordPress sites are easily compromised via brute force attacks. Implementing defenses needs to be a top priority for all WordPress site owners.

To recap, we strongly recommend taking the following steps:

  • Use strong random passwords over 16 characters for all admin accounts
  • Install a login limit plugin like Limit Login Attempts
  • Enable automatic lockouts after 5 failed attempts
  • Leverage CAPTCHAs to block bots after failures
  • Monitor login attempts closely via logs and alerts
  • Rename the admin user and remove unneeded roles

Combining several methods like strong passwords, attempt limits, and CAPTCHAs provides layered security.

For advanced protection against the #1 attack vector, a web application firewall is afoolproof option. With the expert tips in this guide, you can effectively protect your WordPress site from the ever-present threat of brute force compromise.

Written by