How to Protect Your Website From WordPress Brute Force Attacks?


Are you worried that hackers are launching brute force attacks on your website?

We wish we could assure you that your website is secure, but the reality is that it is very likely that it is currently under a brute force attack.

The most famous WordPress attack is a brute force attack. Hackers attempt to guess the right combination of your username and password to gain access to your site in this form of attack.

They will use your platform to carry out malicious activities once they have gained access to it. If a hacker has gained access to your website, they can use its resources to store information, steal your data, deface your site, launch attacks on other websites, send spam emails from your WordPress site (read: phishing hack), insert spam links, and so on.

Aside from that, situations will easily escalate. When Google discovers that your website has been hacked, your site may appear in search results with a misleading site ahead alert or this site may be hacked warning, and Google will blacklist your site or suspend your hosting provider.

But don’t be concerned. You will stop this tragedy by shielding your website against brute force attacks. We’ll walk you through the exact steps you need to take to defend your website from this sort of assault in this post.

TL;DR version

Install Best WordPress Protection Plugin to protect your website from brute force attacks. It has a Password Security feature that prevents hackers from attempting brute force attacks on your login page.

What is a WordPress Brute Force Attack?

To access the wp-admin dashboard, every WordPress website has a login page where the site owner must enter a username and password.
Every WordPress website has a login page that looks something like this:

This is something that hackers are well aware of. As a result, finding the login page of any WordPress website is simple for them.

Many website owners prefer easy-to-remember usernames and passwords. Admin is a common username, and password1234 or 12345678 is a common password.

Hackers have a wide database of usernames and passwords that are widely used.

They program bots to scan for WordPress websites, open the login pages, and launch brute force attacks. To gain access to the web, the bots try different combinations of common usernames and passwords.

They also pick up names from the website, such as author names, founder names, and team member names.

Thousands of login attempts per minute are possible with these.

This is referred to as a brute force attack.

Even if they don’t succeed in guessing your passwords, this type of attack can still cause harm to your website.

Thousands of login attempts in a matter of minutes will overload your web server, causing it to stutter or even crash.

As a result, although using strong passwords is crucial to prevent hackers from breaking in, it is not sufficient. To protect your website from the harm that brute force attacks can cause, you must take steps to prevent the hacker from ever gaining access to it.

In the following section, we’ll go through the security precautions you can take to protect your WordPress site from brute force attacks and hackers.

How To Protect Your Website From Brute Force Attacks?

There are eight security measures you can enforce on your site to keep hackers at bay and avoid brute force attacks.

    1. Use Strong Usernames & Passwords
    2. Prevent Discovery of Username
    3. Limit Login Attempts
    4. Change Default Login Page URL
    5. Implement Two-Factor Authentication
    6. Implement HTTP Authentication
    7. Use a Firewall
    8. Implement Geoblocking

We’ll take you through each one of the measures step-by-step.

Use Strong Usernames & Passwords

The username and password are the two components of a login credential.

It would be difficult for hackers bots to guess your passwords if you use a long and special username and password.

Unique Usernames

It’s not unusual for someone to have a good password but a weak username. If the hacker can guess your username, he or she just needs to find out your password. This makes their work a lot simpler for them.

This is why it’s crucial to stop using usernames that are widely used.

Instead, use something that is one-of-a-kind and not available anywhere else on your website.

One of the most common security bugs found on WordPress websites is poor usernames. If your website has many users, it’s a good idea to see if someone is sharing a username. If that’s the case, make sure they’re switching to a new username.

Strong Passwords

WordPress allows you to use a good password when you create a new user account by producing one for you. You can, however, opt to use a weak password. WordPress will alert you about the weak password, but if you choose the option Confirm use of a weak password, you can get away with it.

As a consequence, it is up to the users to create a strong password. Using a mix of uppercase, lowercase, and special characters as a general rule of thumb. For example, this is regarded as a strong password – p$d&xG56ZhLNrJl49&)NJ4#h

Since strong passwords are difficult to recall, most WordPress users are reluctant to use them. You may, however, learn how to use password management techniques to create powerful passwords without having to remember them. For WordPress users, here’s a guide to password management.

Prevent Discovery of Username

During brute force attacks, hackers search your website for names that they can use to try to break into it. You will keep hackers from discovering it by taking the following precautions:

Change Display Name

Some blogs have blog posts that include the author’s name at the start or end of the piece. If this show name is the same as your author name, hackers may use it to gain access to your website.

You can change your show name to protect your username. Here’s how it’s done:

Step 1: Pick Edit your profile from your WordPress dashboard.

Step 2: Next, go to Nickname and make a modification. We called ourselves Phoebe instead of Sophia.

Step 3: Pick the new nickname from the option View name publicly. Scroll down and click Update Profile to save this configuration.

Block WordPress Rest API From Displaying Name

Apart from the show name, hackers can also find usernames on a WordPress website by using the Rest API. It was launched by WordPress in 2016 for the good of users, but hackers discovered a flaw in the function.

Anyone can access user details from your website via the API, including the username. All you have to do is type in the following URL: Users may be found at

There are two ways to avoid the usernames from being displayed by the Rest API. You can either use a plugin or do it by hand.

  1. → Using a Plugin to Prevent Rest API From Displaying Usernames (Recommended)
  2. Disable REST API is the only plugin that can prevent Rest API from displaying usernames at the time of writing.
  3. Install and trigger Disable REST API on your website, and the API will be disabled automatically.
  4. → Manually Preventing Rest API From Displaying Usernames
  5. You can add a snippet of code to your function.php file.

Note: Using the manual method necessitates making adjustments to WordPress files, which can be dangerous. Your website may be destroyed by a slight blunder. Proceed with this approach only if you are familiar with WordPress’s inner workings. Furthermore, we strongly suggest making a website backup using a WordPress backup plugin so that you can easily restore your site to its previous state if anything goes wrong.

Step 1: To locate the function.php file, log into your WordPress hosting account. To access public HTML, go to cPanel > File Manager > public HTML.

Step 2: Navigate to wp-content in the public HTML folder and pick the active theme on your web.

We chose that folder because we have ‘personalblogily’ enabled on our web.

Step 3: The function.php file is located in your active theme folder. Select Edit from the context menu by right-clicking.

Step 4: In this step, place the following code snippet inside the function.php file. That’s it.

function wpbeginner_remove_version() {
return '';
add_filter('the_generator', 'wpbeginner_remove_version');

Remember to save the file.

Limit Login Attempts

Earlier in this post, we addressed how hackers use bots on your WordPress login page in brute force attacks.

To gain access to your site, the bots are programmed to try a variety of popular usernames and passwords. We also discussed how bots can make thousands of attempts in under a minute, quickly breaking your password combination.

But what if you could halt the bot’s progress?

Just three login attempts are enabled by our brute force attack prevention plugin. The visitor is barred from the login page after three unsuccessful login attempts with incorrect credentials.

There is a way for a user to easily unblock themselves if they have forgotten their credentials.

The user is given a CAPTCHA to solve by the plugin. After the user has figured it out, they should try logging in again. This prevents bots from advancing because they are unable to crack CAPTCHA codes.

You must complete the following steps to enable our brute force attack prevention plugin –

Step 1: Sign up for an account and install our plugin on your web.

The plugin will automatically enforce CAPTCHA-protection measures after activation.

Step 2: From the plugin dashboard, you can check the details of the bots that are being blocked by the plugin.

Change Default Login Page URL

We spoke about how every WordPress website has a default login URL that looks like this: earlier in the post.

Hackers can easily find your login page to conduct brute force attacks since they know the format of the default login URL.

However, if you switch the login page to a different URL (such as, hackers would have a tougher time locating it.

Hackers almost never go for a single website. They like to target several websites at once, so if they can’t find your default login URL, they’ll likely move on to the next one.

Quick Hide Username, Adjust wp-admin login, WPS Hide Login, and other plugins can assist you in changing your URL.

To explain adjusting the URL based on its ratings in the WordPress repository, we’ve chosen the WPS Hide Username. It has been downloaded by over 60000 people and is regularly updated. This means it’s a secure plugin that’s safe to use.

You must take the following steps to adjust your default login page URL with WPS Hide Login –

Step 1: On your WordPress website, install and allow WPS Hide Login.

Step 2: Go to Settings in your WordPress dashboard and pick WPS Hide Login as the latest login URL. Remember to save your changes.

Implement Two-Factor Authentication

You’ve probably noticed that logging into common services like Gmail and Facebook needs two steps. You must first enter your username and password. The service then sends a code to your phone, which you must enter to gain access to your account.

Through checking themselves in real-time, this two-step process guarantees that the actual user is signing into the account.

Installing a two-factor authentication plugin on your WordPress website will allow you to use this two-step process.

When you activate the plugin, you will receive a unique code on your smartphone when you log into your website. You can only access your WordPress dashboard after entering the code.

Implement HTTP Authentication

HTTP authentication can be used to add another layer of security to your WordPress login page. HTTP authentication is a method of preventing hackers from gaining access to your login page.

When you visit a website that uses HTTP authentication, a sign-in box appears at the top of the page, requesting your credentials.

An HTTP credential is distinct from a login credential. A plugin can be used to enforce HTTP authentication on your website. You’ll be prompted to establish an HTTP credential during the plugin’s installation. In order to access the login tab, you must enter this credential.

No one can access the login page without these credentials.

HTTP Auth is the only plugin that requires HTTP authentication at the time of writing. You can install the plugin by following these steps:

Step 1:Installing and enabling HTTP Auth on your WordPress site is the first step.

Step 2: On the left side of the screen in your WordPress dashboard, you should see the HTTP Auth option. Select HTTP Auth > Settings from the drop-down menu.

Step 3: After that, you must do the following:

  • Make a username and password collection.
  • Select the option Login and WordPress Admin Pages
  • Select the option Active HTTP Authentication
  • Hit Save Changes

That is everything there is to it. Your website’s HTTP authentication is now available.

Note: If you have many users, remember to share the HTTP credential with them so they can access your website’s login page.

Use Firewall Protection

Wouldn’t it be fantastic if you could recognize hackers and keep them from ever accessing your website?

You can do this with the aid of a firewall.

A WordPress firewall separates the positive from the poor traffic. Only good traffic is allowed to reach your website, while bad traffic is quickly blocked. Don’t panic if the successful traffic is unintentionally blocked! See our article on whitelisting an IP address for more details.

How does a firewall identify bad traffic?

Anyone who visits your website does so on a computer such as a smartphone or a laptop. A unique IP address is assigned to each user.

Hackers’ IP addresses are detected and listed as malicious when they engage in malicious activity.

The firewall maintains a database of malicious IP addresses that it uses to track down hackers and bots.

The website firewall tests a visitor’s IP address against its database when they try to access your site. If the visitor’s IP address is flagged as malicious, it is automatically blocked. As a result, a hacking attempt is thwarted.

Our protection plugin MalCare provides a WordPress firewall that is triggered automatically when you install it.

Implement Geoblocking

Geoblocking is a technique that allows you to block all IP addresses from a specific country.

Although hackers can be found all over the world, data reveals that a small number of countries are responsible for the majority of hacking attacks. You can block countries to reduce the chances of a brute force attack.

China and Russia have been the most common targets of cyber attacks, according to the Center for Strategic and International Studies (CSIS).

Consider introducing geoblocking if your website does not appeal to Chinese and Russian tourists.

MalCare, our security plugin, provides a clear and secure way to prevent unwanted traffic from accessing your site. With just a few clicks, you can pick and block the countries of your choosing.

Last Thoughts

One of the most common attacks on WordPress sites is brute force attacks. Since website owners are susceptible to using poor credentials, it has a high success rate.

However, if you follow the measures outlined in this post, we are sure that you will be able to prevent hackers from brute-forcing their way into your website.

However, there are various forms of attacks that hackers may use against WordPress pages. As a result, we recommend that you defend your site not only from brute force attacks but also from all other types of hack attacks.

We strongly advise that you keep your WordPress salts and security keys updated, in addition to taking precautions against brute force attacks. You may also use a security plugin such as MalCare to secure your website from all forms of hacking attempts. The plugin includes a firewall that blocks malicious traffic, as well as login security measures to prevent bots from accessing your web, a regular vulnerability scanner to ensure that your site isn’t infected with malware, and an automated cleaner to uninstall malware before things get out of hand.