Back to blog
WordPress Brute Force: how to protect your site from attacks
WordPress

WordPress Brute Force: how to protect your site from attacks

ElevaSEOMarch 18, 202620 min read
brute forcewordpresssecurityprotection2fa

Every day, millions of fraudulent login attempts target WordPress sites around the world. A quick glance at your server logs is enough to see it for yourself: dozens, sometimes hundreds of lines show failed login attempts on wp-login.php, originating from IP addresses scattered across the globe.

These attempts have a specific name: brute force attack. The underlying principle is as old as cryptography itself. An attacker systematically tries combinations of usernames and passwords until they find the right one. What has changed is the scale. Modern tools can test thousands of combinations per minute, and botnets distribute these attacks across hundreds of IP addresses simultaneously.

WordPress powers more than 43% of websites worldwide. This popularity makes it a prime target for attackers, not because of inherent vulnerabilities in the CMS, but because the sheer volume of vulnerable sites is enormous. A successful WordPress brute force attack can lead to data theft, malware injection, site defacement, or its misuse as a spam relay. The cost of a WordPress hack for a business often exceeds $10,000 when you factor in technical cleanup, lost revenue, and reputational damage.

This guide takes a defense-in-depth approach. We will cover every layer of protection, from password hygiene all the way to web application firewalls at the perimeter, to turn your WordPress into a fortress. The same principles also apply to other types of threats, such as SQL injections or XSS attacks.

What Is a Brute Force Attack and How Does It Work

Before deploying countermeasures, it is essential to understand the exact mechanics of a brute force attack and the different forms it can take. This understanding allows you to choose the protections best suited to your specific context.

The principle: a systematic, automated assault

A brute force attack relies on a simple mathematical principle: if you try every possible combination, you will eventually find the right one. In practice, attackers use automated scripts that submit POST requests to the WordPress login page, testing username/password pairs at high speed.

The most common tools in an attacker's arsenal include Hydra, WPScan, and custom Python scripts. These tools can test between 500 and 5,000 combinations per minute from a single machine. Multiply that by a botnet consisting of several thousand compromised machines, and you begin to grasp the scale of the threat.

A 6-character lowercase password can be cracked in a matter of minutes. A 12-character password mixing uppercase letters, lowercase letters, numbers, and special characters theoretically requires billions of years of computation. Password length and complexity are therefore the first line of defense.

The different variants of brute force

Attackers do not limit themselves to testing random combinations. Several strategies significantly improve their chances of success.

Dictionary attacks use lists of common passwords. These lists, regularly updated, contain millions of entries pulled from previous data breaches. Passwords like "123456", "password", "admin2024", or "qwerty" sit at the top of these dictionaries. A dictionary attack is far faster than pure brute force because it targets the most likely passwords first.

Credential stuffing exploits the fact that many users reuse the same password across multiple services. When a data breach exposes millions of email/password pairs (LinkedIn, Dropbox, Adobe), attackers systematically test these credentials on other sites, including WordPress. If your WordPress password is the same one you used for your LinkedIn account that was compromised in 2012, your site is at risk.

Reverse brute force locks in a common password (for example, "password123") and tests that same password against a large number of usernames. This technique is particularly effective on WordPress sites because the username "admin" is still used on a surprising number of installations.

The entry points targeted on WordPress

Attackers do not only target the standard login page. WordPress exposes several entry points that can be exploited for a brute force attack.

wp-login.php is the main door. It is the standard WordPress login form, accessible by default at yoursite.com/wp-login.php. The vast majority of brute force attacks target this URL.

xmlrpc.php represents an even more serious threat. This file, inherited from the pre-REST API era, allows remote interaction with WordPress. The system.multicall method is particularly dangerous: it permits sending hundreds, even thousands of login attempts in a single HTTP request. An attacker can thus test 500 passwords in a single request, potentially bypassing rate-limiting systems that count individual requests.

The REST API can also be exploited to enumerate usernames. By default, a simple request to /wp-json/wp/v2/users reveals the list of site authors, providing attackers with half of the username/password equation.

According to aggregated data from Wordfence for the year 2025, approximately 78% of WordPress brute force attacks target wp-login.php, 18% go through xmlrpc.php, and 4% exploit other vectors such as the REST API or third-party plugin forms.

The 4-Layer Defense: Your WordPress Brute Force Protection Strategy

The best WordPress brute force protection is not a single action but a stack of barriers. This approach, known as "defense in depth", ensures that if one layer is compromised, the subsequent layers take over. We will detail each level, from the simplest to the most robust.

Layer 1: User hygiene, the first line of defense

The first layer of defense requires no technical tools. It relies entirely on the good practices of users who have access to the site's administration.

Strong and unique passwords are non-negotiable. A robust password contains at least 16 characters and mixes uppercase letters, lowercase letters, numbers, and special characters. Better yet, use passphrases like "MyDogLoves3WalksInTheRain!" which are both long and memorable.

Using a password manager such as Bitwarden, 1Password, or KeePass is essential. These tools generate complex and unique passwords for each service, eliminating the risk of credential stuffing. WordPress displays a strength indicator when creating a password. Never settle for a password that WordPress rates as "Medium."

Two-factor authentication (2FA) is the gold standard for account security. Even if an attacker guesses your password, they will not be able to log in without the second factor. TOTP (Time-based One-Time Password) applications like Google Authenticator, Authy, or Microsoft Authenticator generate a 6-digit code that changes every 30 seconds.

Several WordPress plugins implement 2FA reliably:

  • Wordfence Login Security (free): 2FA via TOTP application
  • Two Factor (official WordPress plugin): supports TOTP, email, and security keys
  • WP 2FA: polished user interface, compatible with e-commerce plugins

Passkeys (WebAuthn) represent the future of authentication. They completely replace the password with biometric authentication (Face ID, Touch ID, Windows Hello) or a physical security key. Several WordPress plugins now support passkeys, offering protection against phishing in addition to brute force.

Layer 2: Locking down WordPress at the application level

The second layer acts directly within WordPress to limit and block suspicious login attempts.

Limiting login attempts is the most direct measure against WordPress brute force attacks. The principle is simple: after a certain number of failures (typically 3 to 5 attempts), the IP address is temporarily blocked. The block duration increases progressively with each series of failures.

The most effective plugins for this task:

  • Limit Login Attempts Reloaded: lightweight, easy to configure, compatible with most setups
  • Wordfence: comprehensive solution including login attempt limiting, 2FA, application firewall, and malware scanning
  • SecuPress: French plugin offering an intuitive interface and advanced blocking features
  • Solid Security (formerly iThemes Security): also offers login URL masking

Adding a CAPTCHA to the login form adds an extra barrier against bots. Cloudflare Turnstile is a modern, privacy-friendly alternative to Google reCAPTCHA. These systems verify that the login attempt comes from a human rather than an automated script.

Changing the login URL replaces /wp-login.php with a custom URL (for example, /my-secret-access). This technique falls under security through obscurity: it does not protect against a determined attacker but significantly reduces the noise from automated attacks. The WPS Hide Login plugin is the most popular for this feature. Keep in mind that this measure alone is insufficient and should always be combined with other protections.

For a more comprehensive view of application-level protections, check out our WordPress security guide which covers all aspects of securing a site.

Layer 3: Server-level hardening

Server-level protections are more effective than plugins because they intervene before PHP and WordPress are even loaded. They therefore consume fewer resources and withstand volumetric attacks better.

Fail2Ban is an intrusion prevention tool that operates at the operating system level. It monitors log files (Apache, Nginx, auth.log) and automatically bans IP addresses that generate too many login failures. Unlike a WordPress plugin that must load PHP for every request, Fail2Ban acts at the system firewall level (iptables/nftables), blocking packets before they reach the web server.

A typical Fail2Ban configuration for WordPress monitors the web server's access log and detects repeated POST requests to wp-login.php that return an HTTP 200 status code (login failure, because WordPress returns 200 even on authentication errors, contrary to best practices).

Protection via Apache (.htaccess): if your site runs on Apache, you can add a layer of protection directly in the .htaccess file. Here are two complementary approaches.

IP-based access restriction (if you have a static IP):

<Files "wp-login.php">
    Require ip 203.0.113.15
    Require ip 203.0.113.16
</Files>

Adding supplementary HTTP authentication:

<Files "wp-login.php">
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /path/to/.htpasswd
    Require valid-user
</Files>

This double authentication means an attacker must first crack the basic HTTP password before even reaching the WordPress login form.

Protection via Nginx: Nginx offers a natively high-performance rate-limiting mechanism. The following configuration limits requests to wp-login.php to 10 per minute per IP address:

# Shared zone for rate limiting
limit_req_zone $binary_remote_addr zone=logins:10m rate=10r/m;
 
server {
    location = /wp-login.php {
        limit_req zone=logins burst=3 nodelay;
        include fastcgi_params;
        fastcgi_pass unix:/run/php/php-fpm.sock;
    }
 
    location = /xmlrpc.php {
        limit_req zone=logins burst=3 nodelay;
        include fastcgi_params;
        fastcgi_pass unix:/run/php/php-fpm.sock;
    }
}

The burst=3 parameter allows a short burst of 3 requests, while nodelay immediately returns a 503 error instead of queuing the requests.

Choosing a quality WordPress hosting provider directly impacts your site's security. Specialized WordPress hosts like Kinsta, WP Engine, or Cloudways natively integrate brute force protections at the server level. To compare your options, check out our WordPress hosting comparison.

Layer 4: The WAF, your perimeter shield

The Web Application Firewall (WAF) represents the most effective layer of protection against WordPress brute force attacks. Its decisive advantage: it blocks malicious traffic before it even reaches your server.

A WAF functions as an intermediary between visitors and your server. Every request first passes through the WAF, which analyzes it in real time against a set of rules. Requests identified as malicious are blocked immediately, without consuming any resources on your server.

The main benefits of a WAF for WordPress brute force protection:

  • Zero server load: attacks are blocked at the perimeter; your server never even sees the malicious requests
  • Protection against distributed attacks: even if the attack comes from thousands of different IP addresses, the WAF can correlate behaviors and block the entire campaign
  • Continuously updated rules: the WAF provider's security teams analyze new threats and deploy protection rules in real time
  • Additional features: CDN, caching, performance optimization, DDoS protection

The most widely used WAF solutions with WordPress:

  • Cloudflare: offers a free plan including basic brute force protection, with paid plans for advanced rules. Cloudflare Turnstile can be added as a challenge on the login page
  • Sucuri WAF: specialized in WordPress security, offers cleanup in case of compromise and proactive protection
  • Akamai / AWS WAF: enterprise solutions for high-traffic sites

To dive deeper into web application firewalls, our comprehensive WAF guide details the selection criteria and recommended configurations.

The fundamental difference between a security plugin and a WAF is comparable to the difference between an alarm inside a house and a guard at the front gate. The plugin reacts after WordPress has already processed the request (loading PHP, connecting to the database, executing code). The WAF intercepts the request before it reaches the server. During a volumetric attack with thousands of requests per second, a plugin can crash your server under the load, while the WAF absorbs the attack without flinching.

Prevention Over Cure: Hardening Your WordPress Installation

Beyond direct protection measures against brute force, hardening your WordPress installation reduces the overall attack surface. These preventive measures are straightforward to implement and eliminate entire attack vectors.

Never use the "admin" username

The username "admin" is the first value tested by every brute force bot. If your administrator account still uses this identifier, you are giving attackers half of the equation. They only need to guess the password.

To change the administrator username:

  1. Log in to the WordPress administration panel
  2. Create a new account with the Administrator role and a unique username (also avoid "administrator", "webmaster", or the site's domain name)
  3. Log out and log back in with the new account
  4. Delete the old "admin" account and assign its content to the new account

If you prefer to modify the database directly:

UPDATE wp_users SET user_login = 'new_username' WHERE user_login = 'admin';

Also consider disabling user enumeration via the REST API. Add this code to your child theme's functions.php file:

add_filter('rest_endpoints', function($endpoints) {
    if (isset($endpoints['/wp/v2/users'])) {
        unset($endpoints['/wp/v2/users']);
    }
    if (isset($endpoints['/wp/v2/users/(?P<id>[\d]+)'])) {
        unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
    }
    return $endpoints;
});

Audit user accounts and apply the principle of least privilege

Every WordPress user account represents a potential entry point for a brute force attack. Reducing the number of accounts and limiting their privileges minimizes risk.

Best practices to follow:

  • Limit the number of administrators to one or two accounts at most. Editors, authors, and contributors do not need the Administrator role
  • Remove unused accounts: former employees, freelancers whose engagement has ended, test accounts
  • Regularly audit the user list in Users > All Users. Also check directly in the database (wp_users table) as malicious accounts can be hidden from the interface
  • Use custom roles if WordPress's native roles do not match your needs. The Members plugin allows you to create tailored roles

Disable XML-RPC if you do not use it

The XML-RPC protocol is one of the most exploited vectors for WordPress brute force attacks. If you do not use Jetpack, the WordPress mobile app, or a tool that requires XML-RPC, disable it.

The simplest method is to add this line to your child theme's functions.php file:

add_filter('xmlrpc_enabled', '__return_false');

For a more radical protection at the server level, block access to the file entirely. In .htaccess (Apache):

<Files "xmlrpc.php">
    Require all denied
</Files>

In Nginx configuration:

location = /xmlrpc.php {
    deny all;
    return 403;
}

If you use Jetpack or the WordPress mobile app, do not disable XML-RPC entirely. Instead, configure your WAF to rate-limit requests to this file and block system.multicall calls.

The critical importance of updates

An outdated WordPress installation, theme, or plugin can contain known vulnerabilities that facilitate not only brute force attacks, but also code injections, privilege escalations, and malware installations.

Security updates patch vulnerabilities that are being actively exploited. Delaying an update, even by a few days, exposes your site to automated attacks that specifically target vulnerable versions.

Adopt a strict update routine:

  • WordPress Core: enable automatic minor updates (enabled by default since WordPress 3.7)
  • Plugins and themes: check for updates at least once a week
  • PHP: ensure your server is running a version of PHP that is still supported

For a complete maintenance checklist, check out our WordPress monthly maintenance guide and our detailed WordPress update guide.

How to Detect a Brute Force Attack in Progress

Knowing how to identify an ongoing brute force attack is just as important as protecting against one. The faster you detect the attack, the sooner you can strengthen your defenses.

Indicators in server logs

Your web server's access logs are the most reliable source of information. Look for the following patterns:

  • Repeated POST requests to /wp-login.php or /xmlrpc.php from the same IP or the same address block
  • HTTP response codes: a series of 200 responses on wp-login.php (WordPress returns 200 even on authentication failure) followed by a 302 redirect (successful login)
  • Abnormal volume: more than 10 requests per minute to the login page is suspicious; more than 100 per minute clearly indicates an automated attack
  • Suspicious user agents: requests without a User-Agent or with generic User-Agents like "Python-requests" or "curl"

Visible signs of an attack

Some symptoms are directly observable without analyzing logs:

  • Sudden site slowdown: a volumetric brute force attack can saturate server resources (CPU, memory, PHP connections)
  • Notification emails: if you have configured a security plugin, you will receive alerts for failed login attempts
  • Your own IP getting blocked: if rate-limiting measures are too aggressive, an attack can trigger the blocking of entire IP ranges, preventing you from accessing the site yourself
  • Abnormal bandwidth consumption: visible in your hosting provider's dashboard

Setting up an alert system

Proactive detection relies on an alert system configured in advance:

  1. Security plugin with notifications: Wordfence, Sucuri, or SecuPress send emails or Slack notifications when brute force attempts are detected
  2. Server monitoring: tools like Uptime Robot, Pingdom, or Better Uptime detect slowdowns and outages
  3. Fail2Ban with notifications: configure Fail2Ban to send an email for each IP ban
  4. Google Search Console: set up security alerts to be notified if Google detects an issue on your site

If you notice signs that your WordPress site has been hacked, act immediately. Time is a critical factor.

What to Do After a Successful Brute Force Attack

If despite all your precautions an attacker has managed to breach your site, the speed of your response is decisive. Every passing minute allows the attacker to consolidate their position, install backdoors in WordPress files, and further compromise your installation.

The first emergency steps

Follow this procedure in order:

  1. Put the site in maintenance mode immediately to protect your visitors. WordPress maintenance mode can be activated via a plugin or by creating a .maintenance file at the site root

  2. Change all passwords without exception:

    • WordPress administrator password
    • Database password (in wp-config.php)
    • FTP/SFTP password
    • Hosting panel password (cPanel, Plesk)
    • WordPress security keys (SALT keys in wp-config.php)

  3. Check user accounts: look for any administrator account that you did not create. Check directly in the database (SELECT * FROM wp_users WHERE user_login NOT IN ('your_legitimate_accounts'))

  4. Scan the site files for malicious code. Compare WordPress core files with the originals using wp core verify-checksums if you have access to WP-CLI

  5. Analyze the logs to determine the time and method of compromise. This information is crucial for assessing the extent of the damage

Full cleanup

A superficial cleanup is insufficient. Attackers systematically install backdoors to maintain their access even after a password change. Our WordPress hack cleanup guide details the complete procedure.

If you prefer a manual approach, check our guide on how to remove WordPress malware manually. In severe cases, engaging a professional for WordPress security remediation after a hack remains the safest option.

Also check whether your domain has been added to Google's blacklist. A site flagged as dangerous immediately loses its organic traffic and visitor trust.

Post-incident prevention

After the cleanup, implement all the protection layers described in this guide if they were not already in place. A site that has been compromised once is particularly likely to be attacked again, as attackers often share their lists of successful targets.

Priority actions after an incident:

  • Deploy a WAF if you have not already done so
  • Enable 2FA on all administrator accounts
  • Update your entire stack (WordPress, plugins, themes, PHP)
  • Set up an automated and tested backup system
  • Schedule a monthly security audit

Complete Checklist: Securing WordPress Against Brute Force

To facilitate the implementation of all the measures described in this guide, here is a summary checklist organized by priority. Start with the immediate-impact actions, then progress to the advanced measures.

Immediate actions (under 30 minutes)

  • Change the "admin" username to a unique identifier
  • Enable 2FA on all administrator accounts
  • Install a login attempt limiting plugin (Limit Login Attempts Reloaded or equivalent)
  • Update WordPress, plugins, and themes to their latest versions
  • Review and remove unused user accounts

Intermediate actions (1 to 2 hours)

  • Configure a CAPTCHA (Cloudflare Turnstile or reCAPTCHA) on the login form
  • Disable XML-RPC or restrict its access via the web server
  • Change the login URL with WPS Hide Login or equivalent
  • Disable user enumeration via the REST API
  • Install a comprehensive security plugin (Wordfence, SecuPress, or Sucuri)
  • Configure alert notifications for suspicious attempts

Advanced actions (requires server access)

  • Deploy a WAF (Cloudflare, Sucuri WAF)
  • Configure Fail2Ban to monitor WordPress logs
  • Set up rate-limiting at the web server level (Apache or Nginx)
  • Add supplementary HTTP authentication on wp-login.php
  • Configure daily automated backups
  • Set up uptime monitoring (Uptime Robot, Pingdom)

Conclusion: Effective Protection Is Layered Protection

WordPress brute force protection does not rely on a single solution but on the intelligent combination of multiple defense layers. Each layer compensates for the potential weaknesses of the others.

The minimum recommended combination for any WordPress site is:

  • Strong and unique passwords generated by a password manager
  • Two-factor authentication on all administrator accounts
  • A perimeter WAF (even Cloudflare's free plan offers significant protection)

These three measures alone are sufficient to block more than 99% of automated brute force attacks. The additional measures (Fail2Ban, server-level rate-limiting, login URL modification) add protection layers for high-value or high-traffic sites.

Do not wait until you see hundreds of failed login attempts in your logs before taking action. Every day without protection is a day your site is exposed. Take 30 minutes today to apply the immediate actions from the checklist above. If your site has already been compromised, our cleanup and post-hack security guides will walk you through the restoration process.

WordPress security is an ongoing process, not a destination. Threats evolve, tools improve, and your defense strategy must keep pace. A rigorous monthly WordPress maintenance routine is the best guarantee of long-term peace of mind.

Related posts