How to Protect Your WordPress Website from Brute Force Attack

How to Protect Your WordPress Website from Brute Force Attack

Security in WordPress is a primary concern. As open-source script is vulnerable to all sorts of attacks, WordPress is no different. But it’s not entirely correct. The reason behind your WordPress site being hacked isn’t its fault; instead, it’s your fault.

The most natural and most common way to hack a website is by using a brute force attack. Hackers use brute force attacks to gain access to a website. A ‘brute force’ attack is a sort of attack against a site to access the site by speculating the username and password, again and again.

A brute force attack can be made either by a human or by using a bot. But most of the time hackers use bots because bots are capable of trying thousands of combinations every minute.

To become satisfied with a brute force attack hackers need:

  • Your username
  • Password
  • Your login page
  • Freedom to try thousands of different username/password combinations without restriction

So, if a hacker doesn’t have anyone of this information they can’t reach your website. And by taking a few steps, you can stop this kind of attacks.

Today, we will go through on how you can prevent your WordPress site from brute force attacks. Let’s dive into the article….

Secure Your Login Credentials to stay safe from a brute force attack

Step 1: Secure Your Login Credentials

A) Change The User Name

The first line of defense and most important step to prevent an attacker from succeeding is to secure your login credentials. If you use a weak username or password, it’s effortless for a bot to guess your login credentials and gain access.

For example, if you ‘admin’ as your username and ‘protectpass’ as your password how long it will take to breach the security? It will take a few minutes to gain access.

So, don’t use admin as your username. Try to use something else as username and every time use your email address for login, this will give you a better security hold. As emails aren’t easy to predict, hackers will have a tough time with them. You can use plugins like WP Email Login for this purpose.

B) Set A Strong Password

After changing the username, you should set a secure password. The more your password is protected, the more it is hard for hackers to crack your website. To arrange a secure password, you can follow these rules:

  • Use a mix of upper and lowercase letters
  • At least one number
  • Use at least one symbol
  • Specific length, i.e., 12-15 characters

If you follow these rules, you can create a secure password. But you can’t honestly make a random password as you are human. So instead, you can use password generators like Strong Password Generator. ApplyAnd to remember passwords use password manager services. For example, LastPass, or 1Password.

Set A Strong Password

Step 2: Use reCAPTCHA

Using reCAPTCHA in your WP login form will ensure an extra layer of security. reCAPTCHA is a free service from Google. It helps protect websites from spam and abuse. This is a test to tell humans and bots apart.

After all, most of the brute force attacks are made by bots so they can be prevented merely by using reCAPTCHA in WP login form.

If you want to integrate reCAPTCHA on your own follow these steps:

  1. Go to Google reCAPTCHA, add your website, and get the secret key
  2. Add the following code in the header section of your website: <script src=“” async defer></script>
  3. After that include the following line wherever you want to show the CAPTCHA: <div class=“g-recaptcha” data-sitekey=“your_site_key”></div>

But if you don’t want to go through all the hassle, you can use a plugin. You can use ALL in One Security & FarewellInvisible reCaptcha for WordPress plugins, etc.

However, remember that this trick can only prevent bots, not humans.

Change Login URL

Step 3: Change Log-in Page URL

Did you wonder, if hackers can’t find your WP login page then how will they attack you? Without having access to your login page, a brute force attack can’t become successful.

You should change these permalinks:

  • /wp-login.php
  • /wp-admin.php
  • /wp-login.php?action=register

You can code and change the URL, but that’s the hard way. You can quickly change the URL. Just install iThemes Security plugin or WPS Hide Login plugin and change your login page URL to a custom one.

Use Pass to Login Page

Step 4: Use Password to Access Login Page

You can also prevent anyone from loading your login page even if they know your login page URL by securing access to your wp-login.php file using a .htpassword file. Unless they know the username and password, they can’t load the login page.

Use the following steps:

  1. Using htpasswd generator create content and save it as a file named .htpasswd (with no extension).
  2. Upload the .htpasswd file in the same location as .htaccess file
  3. Now put the code below in your .htaccess file:## Stop Apache from serving .htpasswd files
    <Files ~ “^\.ht”> Order allow,deny Deny from all </Files>
    <Files wp-login.php>
    AuthUserFile ~/.htpasswd
    AuthName “Private access”
    AuthType Basic
    require user coderex

Change “~/.htpasswd” as the location of your .htpasswd file and change “coderex” to the username you gave when creating the htpasswd file.

Limit Login Attempt to Avoid A Brute Force Attack

Step 5: Limit Login Attempts To Stay Safe From A Brute Force Attack

By limiting the login attempts, you can secure your WordPress website from a brute force attack. If bots had only 3 to 4 tries to re-enter username and password, it wouldn’t become successful.

Though WordPress by default doesn’t prevent anyone from attempting to login into your website, it gives the option to limit login attempts while you first install WordPress.

Don’t get scared if you haven’t checked that box on installation. Because by using Loginizer, Login Lockdown, or Limit Login Attempts plugin you can do the same.

Limit Login Attempts to avoid a brute force attack

Step 6: Limit Access to The Login Page by IP Address

You can also block access to the WordPress admin area if you have a static IP address. This is a great way to secure WordPress login by permitting access to specific IP addresses. Add the following code to your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
order deny, allow
deny from all
# whitelist IP address
allow from

Change the “” to your original IP address and if you need more than one IP address also add them in the code.


Step 7: Use Two Factor (2F) Authentication To Avoid A Brute Force Attack

2F authentication is the final line of defense against a brute force attack. In this process, you have to enter a unique verification code created each time you want to login by the Google Authenticator mobile app. To able this feature, you also have to install Google Authenticator plugin, or 2FAS Light – Google Authenticator on your WordPress website.

We also found a great collection of common WordPress vulnerabilities to help you better understand where your website may be weak.


A brute force attack is something you shouldn’t take lightly. While this is not common, when it does happen, there is very little you can do if you are not already prepared.

So make sure you set up your website and optimize it to tackle a brute force attack efficiently.

Also, always make sure to back up your WordPress site should you have any security issues that lead to losing data.

Let us know if you had any brute force experience in the comments below.


No Comments

Leave a ReplyCancel reply

Your email address will not be published. Required fields are marked*

cta img

Let us help you deliver your next project!

Contact Us