Placeholder canvas

How Brute Force Attacks Are Done On WordPress and How to Protect Your WordPress Site

A Brute Force Attacks is like trying every key in a giant key ring until one unlocks a door. Hackers use this method to get into websites by repeatedly guessing usernames and passwords. It works best when people use easy-to-guess usernames and simple passwords like ‘admin’ and ‘123456’.

Here are some common password examples:












This attack targets the weakest point in a website’s security, which is often the ‘users’.

Because of these attacks, your website’s computer memory can get filled up quickly, causing it to slow down or crash. This happens because lots of people try to access your website at the same time, and the computer can’t handle it.

This kind of attack can happen to any website, but it’s more common with WordPress because it’s a popular platform.

What is a Brute Force Attack

A Brute Force Attack is a way hackers try to break into a network, website, or computer system. They use special software that makes tons of guesses to figure out passwords or PIN codes and get inside.

When this attack works, hackers can get into your WordPress website’s control area. From there, they might put harmful software on your site, steal your stuff, or even wipe out your entire site. Even if they don’t succeed, all those guessing attempts can overload your website’s servers and crash them.

Now that we understand what a brute force attack is, let’s look at some steps you can take to keep yourself safe from it.

Brute Force Attacks - Cyber Threat

Source: Medium

How to Protect Your WordPress Site From Brute Force Attack

  • Limit login attempts

The most effective way to prevent WordPress brute force attacks is to restrict the number of login attempts. If an incorrect password is entered too many times, the account is temporarily blocked. This approach hampers the effectiveness of brute force bots, as they rely on the trial-and-error method to guess login credentials. By limiting login attempts, you prevent the bot from trying out thousands of combinations, which saves server resources. 

Default WordPress settings allow unlimited login attempts, making it vulnerable to such attacks. Tools like Limit Login Attempts Reloaded automatically activate limited login protection and provide an option for users to solve a captcha to unblock their accounts if they’ve forgotten their passwords.

Limit login attempts
  • Use Passcodes, Two-Factor Authentication, or CAPTCHA 

For an added layer of security, consider activating the Protected Page feature. This involves specifying the page you wish to safeguard and deciding whether to implement two-factor authentication through Google Authenticator, deploying a CAPTCHA to deter bots, or introducing an additional passcode. 

Commence the use of Two-Factor Authentication (2FA). By doing so, even if someone attempts to guess your password, they will still be unable to gain entry to your website, as they lack the requisite security key. We highly recommend taking this step promptly, with the assistance of the Google Authenticator plugin for added convenience. Employing a passwordless login authentication mechanism contributes significantly to fortifying the security of your WordPress website.

Are you interested in safeguarding the data stored on your portal and deterring unauthorized access? Enhance your security by enabling two-factor authentication. In this scenario, even if an individual tries to compromise your WordPress account, they will need your mobile phone to gain access, even if they possess your password.

  • Use Robust Password

An additional measure to fortify the security of your website against brute force attacks involves employing a robust password. Given that hackers employ botnets, which are networks of automated robots, to haphazardly speculate passwords, it is advantageous to employ one characterized by a distinctive combination of letters and numbers.

Key attributes of a sturdy password encompass the following:

1. It consists of anywhere between ten to fifty characters.

2. It encompasses both uppercase and lowercase letters.

3. It incorporates numbers and special characters.

4. It stands apart from the passwords utilized for other accounts or websites.

To update your password within the WordPress platform, follow these steps:

1. Navigate to the Users section and access the Profile option.

2. Scroll down to Account Management.

3. Click the “Set New Password” option after that. Upon doing so, WordPress will automatically generate a formidable password for you, rendering it exceedingly intricate for anyone to decipher.

Account Management

You may either employ the generated password or fashion one of your own. While typing, WordPress will offer feedback regarding the strength or weakness of your new password.

To ascertain that your new password is both secure and random, you can employ a password generator. This tool can automatically generate a password comprising a blend of uppercase and lowercase letters, numbers, and symbols.

Following the insertion of your newly created password into the designated text box, proceed to the bottom of the page. To protect your changes, select “Update Profile”. For maximum defense against brute force attacks, it is advisable to consider altering your WordPress password every four months.

  • Pen testing tools

An organization’s defenses against possible threats should be strengthened through a pen test in order to better identify, stop, and handle security problems.

Pen testing, which simulates attacks like those hostile hackers might launch, aids businesses in evaluating their security by exposing any flaws that could otherwise go undiscovered.

Brute-force attackers use a broad range of techniques to do this. You can utilize the brute-force attacking techniques directly for penetration. This analysis is frequently referred to as “pen testing”. 

In a penetration test, one’s information technology infrastructure is subjected to a realistic simulation of a cyberattack. This allows you to identify possible weaknesses.

How to Add Extra Security to Your WordPress Login to Avoid Getting Attacked from Brute Force 

If you want to make your WordPress login more secure, you can add an extra layer of protection to the login page (wp-login.php). However, keep in mind that doing this might cause issues with some plugins.

Here’s how to do it:

Create a Password File: First, you need to create a password file called “.htpasswd.” Many hosting services offer tools to do this, or you can use an online tool.

Decide Where to Put the File: You can either put this password file outside of your public web folder or in the same folder as your login page. If you choose the same folder, you’ll need to do some extra security work in your .htaccess file.

Tell .htaccess About the Password File: After you’ve created the password file, you need to tell your .htaccess file where it is. If you put the .htpasswd file in your user’s home directory and your username is “mysecretuser,” add these lines to your .htaccess file:

# Prevent Apache from showing .ht* files

<Files ~ "^\.ht">

  Order allow,deny

  Deny from all


# Secure wp-login.php

<Files wp-login.php>

  AuthUserFile ~/.htpasswd

  AuthName "Private access"

  AuthType Basic

  require user mysecretuser


The exact location of AuthUserFile depends on your hosting server, and the “require user” part should match your chosen username.

For Nginx Users: If you’re using Nginx, you can secure your wp-login.php page with password protection. Just add the following code inside your Nginx configuration file (nginx.conf):

location /wp-login.php {

    auth_basic "Administrator Login";

    auth_basic_user_file .htpasswd;


The “.htpasswd” file’s path should be relative to your nginx.conf file.

Format the Password File: The .htpasswd file should have usernames and their encrypted passwords like this:




Note for Windows Server IIS: If you’re using Windows Server IIS, it’s not as easy to set up password protection for wp-login.php. You might need help from your hosting provider, especially if you don’t have an .htaccess processor like Helicon Ape.

Never forget to use the crypt(3) function to encrypt your passwords. You can use an online htpasswd generator to do this securely.


Protecting your WordPress site from Brute Force Attacks is of utmost importance to ensure the security and integrity of your online presence. By implementing strong passwords, unique usernames, Two-Factor Authentication, login attempt limits, and employing security plugins and monitoring tools, you can significantly reduce the risk of unauthorized access. Regularly updating your WordPress installation and performing backups adds an extra layer of protection.

Keep in mind that maintaining security is a continuous task and that you should use caution. By following these best practices, you can fortify your WordPress site against Brute Force Attacks and maintain the trust and confidence of your visitors and customers. Your online security is in your hands, so take action today to protect your WordPress site from potential threats.

FAQ on Brute Force Attacks

1: What constitutes a strong password?

A robust password should consist of a blend of uppercase and lowercase letters, numerals, and special characters. It should be a minimum of 12 characters in length and should steer clear of easily discernible patterns or common phrases.

2: How frequently should I modify my password?

It is recommended to adjust your password at regular intervals, ideally every 60 to 90 days. This practice serves to diminish the risk of unauthorized access, even if your password becomes compromised.

3: Are there dependable security plugins available for WordPress?

Certainly, there exist several trustworthy security plugins designed for WordPress, including Wordfence, Sucuri Security, and iThemes Security. These plugins furnish a range of features aimed at safeguarding your website from various security threats, including Brute Force Attacks.

4: Is it possible to regain control of my website if it falls victim to a Brute Force Attack?

In the event of your website being compromised, having regular backups assumes paramount importance. By deploying a recent backup, you can reinstate your website to a secure state. It is imperative to act swiftly to mitigate potential damage.

Want faster WordPress?

WordPress Speed Optimization

Try our AWS powered WordPress hosting for free and see the difference for yourself.

No Credit Card Required.

Whitelabel Web Hosting Portal Demo

Launching WordPress on AWS takes just one minute with Nestify.

Launching WooCommerce on AWS takes just one minute with Nestify.