How to Protect Your Website From WordPress Brute Force Attacks?

Are you worried that hackers are launching brute force attacks on your website?

We wish we could tell you that your website is safe but the truth, is it’s quite possible that your website is under a brute force attack right now.

A brute force attack is the most common WordPress attacks. In this type of attack, hackers try to guess the correct combination of your username and password to gain access to your site.

Once they have access to your site, they can use it to execute malicious activities. Once a hacker is inside your website, they can cause all sorts of trouble like using your site’s resources to store files, stealing your data, defacing your site, launching attacks on other websites, sending spam emails from WordPress site, injecting spam links etc.

Apart from this, things can snowball much further. When Google finds out that your website is hacked, your site will appear with deceptive site ahead warning or this site may be hacked warning in search results, Google can blacklist your site and your hosting provider can suspend your site.

But don’t worry. You can prevent this catastrophe by protecting your site from brute force attacks. In this article, we’ll show you the exact steps that you need to take to secure your website against this type of attack.

TL;DR: To protect your website against brute force attacks, install Best WordPress Security Plugin. It comes with a Login Protection feature using which it blocks hackers when they are trying to apply brute force attacks on your login page.

What is a WordPress Brute Force Attack?

Every WordPress website has a login page where the site owner has to enter a username and a password in order to access the wp-admin dashboard.

wordpress dashboard

Every WordPress website has a default login page that looks like this –

wordpress username password

Hackers are aware of this. So it’s easy for them to find the login page of any WordPress website.

Many site owners tend to use usernames and passwords that are easy to remember. Common ones include admin as a username and password1234 or 12345678 set as a password.

Hackers have a huge database of such commonly used usernames and passwords.

They program bots to find WordPress websites, open the login pages and launch brute force attacks on them. The bots try out various combinations of common usernames and passwords to gain access to the site.

They also pick up names displayed on the website such as author names or founder and team member.

These are capable of making thousands of login attempts per minute.

This is what is called a brute force attack.

Now, even if they aren’t successful at guessing your credentials, this kind of attack can still damage your site.

Thousands of login attempts made within minutes will shock your web server and cause slow down or even crash.

Hence, using strong credentials is necessary to ensure that hackers can’t break in but it isn’t sufficient. In order to protect your website against the damages that brute force attacks can cause, you need to take measures to prevent the hacker from accessing your site altogether.

In the next section, we’ll show you the security measures you need to take to protect your WordPress site against brute force attacks and hackers altogether.

How To Protect Your Website From Brute Force Attacks?

To keep hackers at bay and prevent brute force attacks, there are 8 security measures you need to implement on your site.

  1. Use Strong Usernames & Passwords
  2. Prevent Discovery of Username
  3. Limit Login Attempts
  4. Change Default Login Page URL
  5. Implement Two-Factor Authentication
  6. Implement HTTP Authentication
  7. Use a Firewall
  8. Implement Geoblocking

We’ll take you through each one of the measures step-by-step.


1. Use Strong Usernames & Passwords

A login credential has two elements – username and password.

If you use a username and password that’s long and unique, it will be difficult for hackers bots to guess your credentials.

i. Unique Usernames

It’s not uncommon to have a strong password but not a strong username. If your username is easy to guess, then the hacker only needs to figure out the password. This makes their job much easier.

This is why it’s important to avoid using common usernames.

Instead, use something that’s unique and cannot be found on your website.

Weak usernames are one of the most common security vulnerabilities found on WordPress website. If you have multiple users on your website, it’s best to investigate if anyone is using a common username. If they are, you need to ensure that they are switching to a unique username.

You can share this guide with your users – How to Change WordPress Username?

ii. Strong Passwords

When you are creating a new user account, WordPress encourages you to use a strong password by generating a password for you. However, you can still choose to set a weak password. WordPress will warn you about the weak password, but you can get away with it by selecting the option Confirm use of weak password.

wordpress weak password for WordPress brute force attacks

Thus the onus of creating a strong password falls on the users. A general rule of thumb is to use a combination of uppercase, lowercase, and special characters. For instance this is considered a strong password – p$d&xG56ZhLNrJl49&)NJ4#h

Most WordPress users are adverse to using a strong password because it’s hard to remember. But you could learn to use password management techniques so that you can use strong passwords without having to remember them. Here’s a guide on Password Management For WordPress Users.


2. Prevent Discovery of Username

During brute force attacks, hackers scan your website searching for names that they can use to try and break into your website. You can prevent hackers from finding it by using the following measures –

i. Change Display Name

Many websites have blog posts with names of the author displayed at the beginning or end of the article. If this display name is the same as your author name, then hackers can pick that up and use it to log into your website.

To protect your username, you can change your display name. Here’s how –

Step 1: From your WordPress dashboard, select Edit your profile.

edit profile wordpress

Step 2: Then go to Nickname and change it. We changed our nickname from Sophia to Phoebe.

Step 3: Next, from the option Display name publicly as, select the new nickname. Save this setting by scrolling down and click on Update Profile.

change wordpress display name

And that’s how you change your display name.

ii. Block WordPress Rest API From Displaying Name

Besides, the display name, another way hackers find usernames on a WordPress website is through Rest API. WordPress had introduced it back in 2016 for the benefit of users but hackers have found a weak spot in the function.

Using the API, anyone can find user information from your website including the username. All you have to do is run this simple URL:

xmlrpc display user details

There are two ways in which you can prevent the Rest API from displaying the usernames. You can use a plugin or do it manually.

→ Using a Plugin to Prevent Rest API From Displaying Usernames (Recommended)

At the time of writing this, Disable REST API is the only plugin that can block Rest API from displaying usernames.

So install and activate Disable REST API on your website and the plugin will automatically disable the API.

→ Manually Preventing Rest API From Displaying Usernames

You can insert a code snippet into your function.php file.

Note: The manual method involves making changes to WordPress files which is risky. One small misstep can break your website. Go ahead with this method only if you have knowledge about the inner workings of WordPress. Moreover, we strongly recommend taking a website backup with a WordPress backup plugin so that if something goes wrong, you can quickly restore your site back to normal.

Step 1: To locate the function.php file, log into your WordPress hosting account. Go to cPanel > File Manager > public_html.

Step 2: In the public_html folder, access wp-content and select the theme that is active on your site.

We have ‘personalblogily’ activated on our site and therefore we choose that folder.

Step 3: Located inside your active theme folder is the function.php file. Right click and select Edit.

theme functions file

Step 4: In this step, place the following code snippet inside the function.php file. That’s it.

function wpbeginner_remove_version() {

return '';


add_filter('the_generator', 'wpbeginner_remove_version');

Remember to save the file.


3. Limit Login Attempts

Earlier in the article, we spoke of how in brute force attacks hackers deploy bots on your WordPress login page.

The bots are programmed to try out combinations of common usernames and passwords to gain access to your site. We also spoke about how bots can make thousands of attempts within the span of a minute, which can break your password combination easily.

But what if you could stop the bot in its track?

Our brute force attack prevention plugin allows only 3 login attempts. After making three login attempts with the wrong credentials, the visitor is blocked from the login page.

In case a user has genuinely forgotten their credentials, there is a way for them to unblock themselves quickly.

The plugin presents the user with a CAPTCHA to solve. Once the user solves it, they can try to login again. This prevents bots from going further as they cannot solve CAPTCHA codes.

To activate our brute force attack prevention plugin, you need to take the following steps –

Step 1: Create an account and activate our plugin on your website.

After activation, the plugin will automatically implement CAPTCHA-protection measures.

malcare firewall

Step 2: From the plugin dashboard, you can check the details of the bots that are being blocked by the plugin.

malcare blocked login details.

4. Change Default Login Page URL

Earlier in the article, we discussed how every WordPress website has a default login URL that looks like this –

Since hackers know the format of the default login URL, they can easily find your login page to launch brute force attacks.

But if you move the login page to a new URL (like, then it’ll be harder for hackers to find the login page.

Hackers rarely target a single website. They prefer launching attacks on multiple websites so if they are unable to find your default login URL, they are likely to move on to their next target.

There are a number of plugins that’ll help to change your URL like Easy Hide Login, Change wp-admin login, WPS Hide Login, etc.

We’ve chosen WPS Hide Login to demonstrate changing the URL based on its ratings in the WordPress repository. Over 60000 people have it actively installed and it is being updated frequently. This indicates that it’s a trusted plugin and is safe to use.

To change the your default login page URL with WPS Hide Login, you need to take the following steps –

Step 1: Install and activate WPS Hide Login on your WordPress website.

Step 2: From your WordPress dashboard, go to Settings and choose WPS Hide Login and set the new login URL. Remember to save the setting.

wps hide login

And that’s it.

Also Read: WordPress Limit Login Attempts: How to do it?


5. Implement Two-Factor Authentication

You must have noticed how you need to take two steps to log into popular services like Gmail and Facebook. In the first step, you enter your username and password. Then the service sends a code to your smartphone which you have to enter to access your account.

This two-step method ensures that the actual user is logging into the account by verifying themselves in real-time.

You can implement this two-step method on your WordPress website by installing a two-factor authentication plugin.

After enabling the plugin, when you are logging into your website, you will be sent a unique code on your smartphone. Only after entering the code can you access your WordPress dashboard.

For more detailed steps, follow this guide on How to Add WordPress Two-Factor Authentication?


6. Implement HTTP Authentication

You can add another layer of protection on your WordPress login page through HTTP authentication. HTTP authentication is a technique using which you can block hackers from accessing your login page.

http authentication on login page

When you open a login page of a website with HTTP authentication installed, a sign-in box appears on the top of the page asking for your credentials.

A HTTP credential is not the same as your login credential. HTTP authentication can be implemented on your website using a plugin. During the installation of the plugin, you will be asked to create a HTTP credential. This is the credential you need to insert in order to access the login page.

Without these credentials no one can access the login page.

At the time of writing this, HTTP Auth is the only plugin that enables HTTP authentication. To install the plugin, you can follow these steps:

Step 1: Install and activate HTTP Auth on your WordPress website.

Step 2: On your WordPress dashboard, you should be able to see the HTTP Auth option on the left side of the screen. Select HTTP Auth > Settings.

Step 3: Next, you need to do the following –

  • Choose a Username and Password
  • Select the option Login and WordPress Admin Pages
  • Select the option Active HTTP Authentication
  • Hit Save Changes
http authentication plugin settings

That’s it. HTTP authentication is now active on your website.

Note: If you have multiple users then remember to share the HTTP credential with your users so that they can access the login page of your website.


7. Use Firewall Protection

Wouldn’t it be great if you could identify hackers and prevent them from accessing your website in the first place?

A firewall can help you do this.

A WordPress firewall filters the good traffic from the bad. It allows only the good traffic to access your website while the bad traffic is promptly blocked. if the good traffic is accidentally blocked, don’t worry! check out our guide on whitelisting an ip address.

How does a firewall identify bad traffic?

Anyone who visits your website is using a device like a smartphone or laptop to view your website. Each device is associated with an unique IP address.

When hackers carry out malicious activities, their IP addresses are identified and classified as malicious.

The firewall has a database of malicious IP addresses which it uses to identify hackers and bots.

When a visitor tries to access your site, the website firewall first checks their IP address against its database. If it identifies that the IP is marked as malicious, it blocks the visitor promptly. Thus, preventing a hack attempt.

Our security plugin MalCare comes with a WordPress firewall which is automatically implemented when you install the plugin.

malcare firewall

Also read: How to stop WordPress Registration Spam


8. Implement Geoblocking

Geoblocking is a method using which you can ban all IP addresses originating from a specific country.

While hackers exist all over the world, data shows that a large amount of hack attacks are launched from a handful of countries. To reduce the chances of a brute force attack, you can block countries.

The Center for Strategic and International Studies (CSIS) found that China and Russia have been the biggest sources of cyber attacks.

If your website does not target Chinese and Russian visitors, then consider implementing geoblocking.

Our security plugin MalCare, offers an easy and reliable way to block unwanted traffic from accessing your site. You can select the countries of your choice and block them in just a few clicks.

malcare geoblocking

Here’s a guide that will help you implement geoblocking on your website – WordPress country blocking.

We are confident that if you implement these security measures, your website will be safe against WordPress brute force attacks.

Final Thoughts

Brute force attacks are one of the most common attacks on WordPress sites. It has a high rate of success because website owners are prone to using weak credentials.

However, if you implement the steps that we have laid out in this article, we are confident that you can prevent hackers from brute-forcing into your website.

That said, there are many different types of attacks that hackers can launch against WordPress sites. For this reason, we recommend protecting your site not just from brute force attacks, but all common hack attacks like phishing, spam link injection, etc;

Besides taking precautions against brute force attacks, we strongly suggest that you keep your WordPress salts and security keys updated. Also, you can use a security plugin like MalCare to ensure that your website is protected from all types of hack attempts. The plugin comes with a firewall that’ll block malicious traffic, offers login protection measures to prevent bots from accessing your site, a daily vulnerability scanner to ensure that there’s no malware infection, an automatic cleaner to remove malware before things escalate, among other things.

Try MalCare Security Services Right Now!

Sophia Lawrence,

Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap