Knock, knock, knock: a knock at the door. A furtive glance through the peephole: well, a complete stranger.

You don’t want to let him in, you never know. In “real life”, you can easily control who comes in and out of your home.

On your WordPress site, it gets a lot more complicated. On a daily basis, a whole bunch of people and malicious robots can try to break in. Without warning, and without knocking. So much for being polite.

Right now, your site is probably under siege, by the way.

Man panics because of a brute force attack on his WordPress site.
Don’t panic, everything will be fine.

These are called brute force attacks on your WordPress site. This scourge can make you cringe, unless you take the lead in protecting yourself with a series of deterrents.

In this article, find out all our ways to keep the bad guys away from your site (and discourage them from coming back).

Originally written in September 2014, this article was updated in August 2021.

Your best WordPress projects need the best host!

WPMarmite recommends Bluehost: great performance, great support. All you need for a great start.

CTA Bluehost WPMarmite

What is a brute force attack?

In a brute force attack, bots go to your WordPress site’s login page, then attempt to find out your site’s admin account login and password by testing different combinations, in order to gain control.

These combinations often include the most commonly used login and password, such as “admin” and “123456”.

If, unfortunately, one attempt is successful – these bots can make up to a thousand attempts per minute – you can say goodbye to your site. The attacker will be able to do whatever he wants, since he will be logged in as an administrator.

He can delete all the content of your site, steal personal information (email addresses, login details, customer data on a WooCommerce store, etc.), or even inject malicious software (malware).

And even if the hacker doesn’t manage to become the only master on board, the multiplicity of brute force attacks on your WordPress can also damage your site.

Indeed, during these attacks, many HTTP requests are made to your server, which can lead to performance problems, or even make your site unavailable.

Brute force attacks can affect any type of site. However, WordPress is a prime target for several major reasons:

  • It is the most widely used CMS (Content Management System) in the world. At the time of writing, more than 40% of websites use it.
  • It allows by default an unlimited number of connection attempts.
  • It is very easy to find the connection page. It is for example accessible by going to the following URL: yoursite.com/wp-admin. Unless you change it 😉 (more info on this later).

As you can see, brute force attacks on WordPress are not to be taken lightly. It is one of the main causes of hacking on a WordPress site.

To tackle the problem head on, here are 7 solutions that will help you sleep soundly.

7 solutions to protect yourself against brute force attacks on WordPress

Use a complex login and password

Let’s start with a basic tip: use a strong username and password.

For the login, forget about the classic “admin” of your site to make the attackers’ work harder (this also applies to its derivatives like “test”, for example).

You already have an account with the “admin” login? Here is how to delete it:

  • Create a new user with a login that is difficult to guess. If you’re not sure, use this kind of generator.

    To do this, go to the menu Users > Add New.
User addition to protect against brute force attacks on WordPress.
  • Delete your admin account by assigning all the content associated with it to the new user you have just created.

Let’s move on to passwords. Forget the classic “123456”, “123456789” or “password”, which are among the most used – and therefore most hacked – across the planet.

To generate a strong password, apply the following best practices:

  • Use a combination of numbers and letters (upper and lower case, numbers and punctuation marks).
  • Forget common passwords such as “1234”, “0000”, your first name or your pet’s name.
  • Choose a long password, longer than 10 characters.
  • Don’t use the same password you use for other sites (e.g. email, bank, etc.). If possible, use a unique password.

To generate passwords as strong as an ox, there are different options to help you, if you are stuck:

Finally, even if your password seems to be very secure, remember to change it from time to time, it is always better.

Limit the number of connection attempts to the administration

To repel nasty bots that want to take over your site, strengthen your security shield by preventing them from testing endless combinations of logins and passwords.

Remember: a WordPress installation is a godsend to them. If you don’t protect it a little, they can do their favorite thing (brute force attacks) without any limits.

In order to cut them off, use the iThemes Security plugin. It’s a Swiss army knife plugin with over thirty options to protect your WordPress installation from hackers, bots and other malware.

The iThemes Security plugin helps to fight against brute force attacks on WordPress.

More than half of these options are already available with the free version, including the protection against brute force attacks on WordPress, which interests us here. 😉

Here is how it works. Once the plugin is activated, configure the “Local brute force protection” module settings by choosing:

  • The immediate blocking of an IP address that would try to connect with the login “admin”.
  • The maximum number of login attempts per IP address.
  • The maximum number of login attempts per identifier.
  • The number of minutes taken into account to count unsuccessful connections.
Local brute force settings on iThemes Security.

The default settings will be effective enough (see screenshot above). After that, it’s up to you to see what you want to set up.

In addition to local protection, which concerns access attempts to your site, iThemes Security also allows you to activate what it calls a “Network Brute Force Protection” via the eponymous module. This network will block users who have tried to break into other sites before attacking yours.

iThemes Security is a general-purpose security plugin that will allow you to kill two birds with one stone.

Thanks to it, you can protect yourself from brute force attacks on WordPress, while armoring your site on other levels (blocking IP addresses, updating WordPress secret keys, file permissions, blocking users, etc.).

Download the iThemes Security plugin:

If you are looking for a plugin specifically designed to sweep away brute force attacks on WordPress, there are several solutions on the official directory (use only one of course, if needed):

Finally, if you are, like more than 5 million WordPress aficionados, an inveterate fan of the Jetpack plugin (another Swiss army knife), you should know that the latter has a module to protect you against brute force attacks.

Join the WPMarmite subscribers

Get the last WPMarmite posts (and also exclusive resources).

WPMarmite English newsletter

Change the administration login page

Limiting admin login attempts is highly recommended, but it is possible to go even further. Since you’re interested in getting in the way of malicious bots and human hackers, make their lives even more difficult by changing your administration login page.

If you’ve been following along, you’ve read that it’s very easy to find the admin login page for a WordPress site. Just type either of the following URLs in your navigation bar:

  • yoursite.com/wp-admin
  • yoursite.com/wp-login.php

Now, if the classic login page is no longer accessible by going to one of the above URLs, the bots and other attackers are screwed!

To move your login page to the URL of your choice, go back to iThemes Security. A setting is available in the advanced settings:

iThemes Security offers the "Hide Backend" setting to move the WordPress administration login page.

At the configuration level, you will need to specify a login slug. From then on, the wp-admin directory and the wp-login.php page become inaccessible. Remember to note your new URL in several places. For example, you can bookmark it on your browser for easy access.

You can also specify a redirection URL (e.g. https://yoursite.com/404), which will be sent to the bot or hacker who is not logged in and wants to access your login page.

If you want an alternative plugin (to take advantage of this feature only), look into WPS Hide Login.

Using two-factor authentication to fight brute force attacks on WordPress

Are you still here? Great. So let’s continue our process of demolishing brute force attacks on your WordPress.

Now I have a new trick to pull out of my hat: two-factor authentication (also known as strong authentication, or dual authentication).

This method adds an extra layer of security to log into your WordPress site. With this, you will need to:

  • Enter your username and password first.
  • Use a device, often your smartphone or tablet, to validate the login process.

Thus, if a hacker or a robot manages to identify your password, he will hit a wall because he will need another tool to be able to connect (if he didn’t steal your smartphone, he won’t get far).

Two-factor authentication is something you’ve heard of. You use it when you make online purchases:

  1. First, you are asked to enter your credit card data on the website where you want to shop.
  2. Then, in order to ensure that you are the originator of the transaction, you are asked to type in a code received by SMS on your cell phone, or to connect to your banking app to validate the payment.

You can also activate double authentication on the login page of your WordPress site.

Several plugins allow it, such as Two Factor Authentication, developed and maintained by the team of the famous UpdraftPlus backup plugin.

Two Factor Authentication plugin to download on the official WordPress directory.

It uses an automatic algorithm that generates a one-time login code, which is automatically renewed every 30 seconds.

Download the Two Factor Authentication plugin:

For your smartphone or tablet to recognize this code, you just need to scan a barcode using for example the Google Authenticator app to receive this code.

The QR code generated by Two Factor Authentication.

If you already use iThemes Security, you should know that the Pro version of this plugin already offers a module to activate two-factor authentication.

Implement a captcha

Now, let’s move on to a new trick to get rid of brute force attacks on WordPress: the captcha.

Using this kind of test, which allows you to differentiate between humans and bots, will help you to fight effectively against malicious bots greedily hanging around your login form.

To do this, there again, a plugin will be able to do the job for you. reCaptcha by BestWebSoft, for example.

reCaptcha by BestWebSoft to download on the official WordPress directory.

This plugin uses, among other things, the official reCAPTCHA protocol from Google, which allows you to check only one box to prove that you are not a robot.

The login form with the reCaptcha plugin.

Download the reCaptcha by BestWebSoft plugin:

And since you already know iThemes Security, I’ll tell you two more things about it: its Pro version includes a Google reCAPTCHA, if you’re interested.

Backup your WordPress site regularly

With the tips already listed above, you have enough to disgust the most ferocious attackers.

The following recommendation will not directly prevent brute force attacks on your WordPress site. However, you’ll be glad you followed it if your installation is ever affected.

An essential reflex to adopt in order to turn around in case of an attack, whatever it may be, is to regularly back up your website (its files and its database).

To cover yourself, use a dedicated plugin that will automatically take care of your backups and allow you to easily restore your site without any complex technical manipulation.

Personally, WPMarmite has a soft spot for UpdraftPlus, whose free version is complete, simple and efficient.

The UpdraftPlus plugin to download on the WordPress official directory.

Download the UpdraftPlus plugin:

Bonus: protect the reading of directories

I’d like to end this series of tips with a more technical recommendation: protect the reading of your WordPress site’s directories.

By default, if you try to access the directories of a site, the server will display them. During a brute force attack on WordPress, bots and other hackers can then browse your directories: seeing the files on your site will help them to better attack it.

To protect your site, insert the following code into your .htaccess file:

Options -Indexes

Of course, back up your site before any manipulation. 😉

Let’s attack (to limit brute force attacks on your WordPress… and secure it)!

Unfortunately, brute force attacks on WordPress are common and frequent. To protect yourself from them, there are several effective solutions:

  • Using a complex login and password.
  • Limiting the number of connection attempts to the administration.
  • Changing the administration login page.
  • Two-factor authentication.
  • Adding a captcha system.

In my opinion, the minimum is to implement the first 3 solutions. For the rest, it’s up to you to judge according to your sensitivity (note: you may be paranoid if you have combined the 5 solutions).

To sum up, adopting the right security habits will not guarantee you a total protection (no site is infallible), but you will protect yourself from many disappointments.

So don’t delay, and take action right away by applying our advice!

Have you ever been confronted with a brute force attack? How do you protect yourself against this type of threat?

We’re waiting for your feedback in the comments.