How to Protect Your WordPress Website from Brute Force Attack

How to Protect Your WordPress Website from Brute Force Attack

Security in WordPress is a primary concern. As open source script is vulnerable to all sorts of attacks, WordPress is no different. But it’s not entirely correct. The reason behind your WordPress site being hacked isn’t its fault; instead, it’s your fault.

The most natural and most common way to hack a website is using brute force attack. Hackers use brute force attack to gain access to a website. A ‘brute force’ attack is a sort of attack against a site to access the site by speculating the username and password, again and again.

Brute force attack can be made using either human or bot. But most of the time hackers use bots because bots are capable of trying thousands of combinations every minute.

To become satisfied with a brute force attack hackers need:

  • Your username
  • Password
  • Your login page
  • Freedom to try thousands of different username/password combinations without restriction

So, if a hacker doesn’t have anyone of this information they can’t reach your website. And by taking few steps, you can stop this kind of attacks.

Today, we will go through on how you can prevent your WordPress site from brute force attacks. Let’s dive into the article….

Secure Login

Step 1: Secure Your Login Credentials

A) Change User Name

The first line of defense and most important step to prevent an attacker for succeeding is to secure your login credentials. If you use weak username or password, it’s effortless for a bot to guess your login credential and gain access.

For example, if you ‘admin’ as your username and ‘protectpass’ as your password how long it will take to breach the security? It will take few minutes to gain access.

So, don’t use admin as your username. Try to use something else as username and every time use your email address for login, this will give you better security hold. As emails aren’t easy to predict, hackers will have a tough time with it. You can use plugins like WP Email Login for this purpose.

B) Set Strong Password

After changing the username, you should set a secure password. The more your password is protected, the more it is hard for hackers to crack your website. To arrange a secure password, you can follow this rules:

  • Use a mix of upper and lowercase letters
  • At least one number
  • Use at least one symbol
  • Specific length, i.e., 12-15 characters

If you follow this rules, you can create a secure password. But you can’t honestly make a random password as you are human. So instead, you can use password generators like Strong Password Generator. ApplyAnd to remember passwords use password manager services. For example, LastPass, or 1Password.

Step 2: Use reCAPTCHA

Using reCAPTCHA in your WP login form will ensure an extra layer of security. reCAPTCHA is a free service from Google. It helps protect websites from spam and abuse. This is a test to tell humans and bots apart.

After all, most of the brute force attacks are made by bots so it can be prevented merely by using reCAPTCHA in WP login form.

If you want to integrate reCAPTCHA your own follow this steps:

  1. Go to google reCATPCHA, add your website and get the secret key
  2. Add following code in the header section of your website: <script src=“” async defer></script>
  3. After that include the following line wherever you want to show the CAPTCHA: <div class=“g-recaptcha” data-sitekey=“your_site_key”></div>

But if you don’t want to go through all the hassle, you can use a plugin. You can use ALL in One Security & FarewellInvisible reCaptcha for WordPress plugin, etc.

However, remember that this trick can only prevent bots, not humans.

Change Login URL

Step 3: Change Login Page URL

Did you wonder, if hackers can’t find your WP login page then how will they attack you? Without having access to your login page, a brute force attack can’t become successful.

You should change these permalinks:

  • /wp-login.php
  • /wp-admin.php
  • /wp-login.php?action=register

You can code and change the URL, but that’s the hard way. You can quickly change the URL. Just install iThemes Security plugin or WPS Hide Login plugin and change your login page URL to a custom one.

Use Pass to Login Page

Step 4: Use Password to Access Login Page

You can also prevent anyone to load your login page even if they know your login page URL by securing access to your wp-login.php file using a .htpassword file. Unless they know the username and password, they can’t load the login page.

Use the following steps:

  1. Using htpasswd generator create content and save it as a file named .htpasswd (with no extension).
  2. Upload the .htpasswd file in same location as .htaccess file
  3. Now put the code below in your .htaccess file:## Stop Apache from serving .htpasswd files
    <Files ~ “^\.ht”> Order allow,deny Deny from all </Files>
    <Files wp-login.php>
    AuthUserFile ~/.htpasswd
    AuthName “Private access”
    AuthType Basic
    require user coderex

Change “~/.htpasswd” as the location of your .htpasswd file and change “coderex” to the username you gave when creating the htpasswd file.

Limit Login Attempt

Step 5: Limit Login Attempt

With limiting the login attempts, you can secure your WordPress website from brute force attack. If bots had only 3 to 4 try to re-enter username and password, it wouldn’t become successful.

Though WordPress by default doesn’t prevent anyone from attempting to login in your website, it gives the option to limit login attempt while you first install WordPress.

Don’t get scared if you hadn’t check that box on installation. Because by using Loginizer, Login Lockdown, or Limit Login Attempts plugin you can do the same.

Step 6: Limit Access to The Login Page by IP Address

You can also block access to the WordPress admin area if you have a static IP address. This is a great way to secure WordPress login by permitting access to specific IP addresses. Add the following code to your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
order deny, allow
deny from all
# whitelist IP address
allow from

Change the “” to your original IP address and if you need more than one IP address also add them in the code.


Step 7: Use Two Factor (2F) Authentication

2F authentication is the final line of defense against brute force attack. In this process, you have to enter a unique verification code created each time you want to login by the Google Authenticator mobile app. To able this feature, you also have to install Google Authenticator plugin, or 2FAS Light – Google Authenticator in your WordPress website.

No Comments

Leave a ReplyCancel reply

Your email address will not be published. Required fields are marked*

cta img

Let us help you deliver your next project!

Contact Us