How to Protect WordPress from Brute Force Attacks?

  • Attacking website using Brute Force is an old technique and still, exists on the Internet.

Brute Force attacks can take your website down and disrupt your online business if necessary prevention tool is not in place.

Brute Force attack can be applied either using human or bots by continuously trying to log in with guessed credentials into your WordPress website.

This gets worse when the login page is not protected, and some of the research has noticed thousands of login attempts to wp-login.php per minute.

Let’s take a look at the graph by SUCURI.


More than 1 million attacks per hour!


That’s huge !

A few days back, I received 42 emails notification about site lockout due to brute force attacks. So this can happen to you.


There are multiple ways to prevent brute force attack; here are some of them, which you can follow.

1Hide WordPress Login

One of the first things after setting up your website you should consider doing is to hide the login area.

By default, a WordPress login page is available as:

  • /wp-login.php
  • /login
  • /wp-admin
  • /admin

Knowing the technologies, you are using is easy these days.

So if bad guys know you are using WordPress and login area is not hidden then they can easily access the login page and prepare for a brute force attack.

Let’s hide the WordPress login area with the following plugins. You can use any one of them.

WPS Hide Login

WPS Hide Login is a lightweight plugin with active installed over 400,000 . This plugin will help you change the login URL to anything you wish.

wps hide login

After changing the login URL, if someone tries to access wp-admin/wp-login.php/login/admin then it will throw 404 error page.

iThemes Security

A premium plugin offers comprehensive WP security protection.

ithemes security

iThemes let the bad guys out. Some of the notable features are:

  • Brute force protection
  • Lock suspicious users
  • Hide login URL
  • Two-faction authentication
  • Malware scanning
  • Database backup

With minimal setup, you are good to go.


GDPR ready, Malcare is all-in-one security protection plugin for WordPress. It offers login protection round the clock and keeps the malicious traffic away.


Not just brute force protection but Malcare offer other features such as malware scanning, malicious code removal, smart web firewall, one-click hardening, etc. You can get it started from as low as $99 per year. Its worth investment to secure your online business.

2Implement 2-factor Authentication

2-factor authentication adds an extra layer of security to your WordPress website. Along with your credential, you also need to supply a one-time password (OTP).

This is achievable by using the following plugins.


A fantastic and lightweight plugin lets you implement two-factor authentication for WP administrator, contributor, etc.

two factor wp

You can set up email-based, Google Authenticator, U2F based authentication.

Google Authenticator

As the name says, you can use this plugin if you are looking for Google Authenticator based OTP login.

google authenticator wp

Once you enable the plugin and set up the authentication, you should see the above screen during login to your WP admin.

The above techniques are plugin-based, but you may also consider using Cloud-based security provider protection.

3Cloud-based Security

Why Cloud-based security?

Using a plugin to secure your site means all the traffic, including bad ones reaches to the WordPress servers. Imagine, you receive a large number of useless traffics.

By using cloud-based protection, your WordPress server receives only legitimate traffic. All the bots, spams, suspicious requests get terminated at a security provider network.

Sounds good?

There are few options but two of the popular one as the following.


SUCURI is specialized in website antivirus and firewall. They help you to stop hack attempts, stop a DDoS attack, clean hack, and complete security to your website. Including brute force attack protection.

sucuri waf

WordPress security by SUCURI is probably the only thing you need to secure your website from Brute Force and many other security vulnerabilities. The good thing about SUCURI is it supports many other platforms like Joomla, Drupal, Magento, PHP so in case you change the website technology in the future, you don’t need to spend another $$ for security.


One of the popular CDN and security provider. Cloudflare WAF is included in the PRO plan, which cost $20 per month.

cloudflare waf 1

You get all the standard security protection like from DDoS, OWASP top 10 vulnerabilities, spam, evil bots, brute force, etc.


Securing your site is essential, and if you are looking to mitigate brute force attacks, then one of the above-listed plugins will do the job. However, if you are seriously looking for complete security solution then go with cloud-based security. It is worth it!

Stay secure!

Credits: geekflare