Fix Hacked Site

WordPress Brute Force Attacks: How to protect your website

WordPress brute force attacks are overwhelming, even before an attack is successful. Many site admins see their server resources deplete quickly, their websites become unresponsive or even outright crash, causing actual users to be unable to log in. The problem is that you can feel powerless as brute force bots hammer your login page, trying to break into your WordPress admin.

But you aren’t helpless. If you see several failed logins for one user, that might indicate that they’re trying to access your site from multiple IP addresses.

We will go through what WordPress brute force attacks look like and how to prevent them.

To prevent bad bots from attacking your website, install a robust firewall and integrate bot protection into your security system. Make sure your site, data, users, and everything else is secure with MalCare, the most powerful WordPress security plugin.

What is a WordPress brute force attack?

Brute force attacks attempt to gain unauthorized access to a website by trying out the different username and password combinations. Hackers have created bots that repeatedly attempt to log into websites on a trial-and‑error basis.

WordPress brute force attacks

A bot may try a series of passwords in a dictionary, and so these attacks are also called dictionary attacks or password-cracking attacks. The attacks can be configured to come from different IP addresses, thus circumventing basic security measures. There are other types of brute force attacks, which we will cover later in the article. 

A brute force attack aims to access your wp-admin and then most typically install malware on your site.

Some tips to help prevent brute force attacks against your WordPress site

It’s frightening when an attacker tries to break into your computer network. Especially since there doesn’t seem to be anything you can do to stop them. Furthermore, the effects of an intrusion are immediately visible. If a site has limited server resources, it will be quickly used up by an attack. And if a site crashes completely, it will take down everything else on the network.

Fortunately, there is a lot you can do to prevent brute force attacks in WordPress.

Here is a list of WordPress brute force protection steps that will block most attacks and mitigate the worst effects. 

1. Limit login attempts

The best way to stop WordPress brute force attacks is to limit login attempts. If an incorrect password has been entered too many times, the user account is temporarily blocked. It makes brute-forcing difficult by relying on trial and error to guess passwords. Besides, since the bot cannot test thousands of combinations, the requests are sent to the server, but the bot’s activities don’t use up resources.

Limited login attempt notification

By default, WordPress allows unlimited login attempts, which is why it is susceptible to brute force attacks in the first place. With MalCare, limited login protection is automatically activated. In fact, if a user has legitimately forgotten their password, they can solve a captcha to get past the block quickly. Therefore, limiting login attempts keeps out brute force bots without adversely affecting real users.

For more details, see our guide on 9 Ways To Increase WordPress Security And Avoid Cyber Attacks For High-Performance Websites

2. Block Bad Bots

Brute force attacks are almost always carried out by bots.

Bots are small programs designed to carry out a single task repeatedly. Therefore, they’re ideal for brute force attacks, which involve trying every combination of inputs until one works. The bot will try different usernames and passwords until it finds one that works.

Over 25% of all website visitors are bots, so there are many security systems to protect against them. However, an important distinction is to be made here: all bots aren’t bad. There are some perfect ones like other search engines and uptime monitoring bots. It’s essential to get bot protection that intelligently blocks only malicious bots.

Blocking bad bots in WordPress

3. Install a web application firewall

A login protection system is designed to defend against brute force attacks. Firewalls are designed to defend against attacks, including brute force ones.

Firewalls use policies to block out malicious traffic, and they do a lot to protect your website. Firewalls mitigate one of their most significant drawbacks: the excessive load on server resources. They block out repeated bad requests by preventing them from reaching your servers.

MalCare WordPress firewall

Brute force attacks typically come from multiple IP addresses, so they usually get past most firewalls. your website becomes a part of global IP protection. The firewall learns which websites are malicious by observing the behavior of over 100,000 websites and then blocks traffic from those sites. These measures significantly reduce horrible traffic to your website before the bot has a chance to brute-force your site’s login page.

For more details, see our guide on Firewall Optimization: Make Sure You Are Protected From Hacking Attempts 

4. Add Two-factor authentication in WordPress

Passwords can be guessed, so multi-factor authentication has emerged to add a layer of security by having dynamic elements to verify users. Two-factor authentication requires a second factor — something you know (like a password) and something you have (like a physical security key). It’s not valid for long periods, usually lasting no longer than 15 minutes, and can only verify a user for that specific session.

You can install a WordPress plugin like WP 2FA for adding two-factor authentication to WordPress sites. The additional token is hard to crack in addition to your username and password. It adds another layer of security by requiring users to enter their passwords before accessing the site.

5. Use Strong and unique passwords

The biggest security flaw is the user themself and the passwords they set by extension. Passwords are the most vulnerable part of any security system because of people’s natural tendency to use easy-to-remember and reuse passwords. Passwords are two separate and distinct issues.

Strong password

Never use the same password for multiple websites. Many brute force bots use stolen usernames and passwords from data breaches to hack into websites. Secondly, as you probably know, a password like “password” is easy to guess. Use a minimum of twelve gibberish characters (or, even better, use a passphrase), but don’t worry if you forget them.

6. Disable XML-RPC in WordPress

Another way to authenticate users is through the use of an XML-RPC file. It’s an alternative way to gain admin access, so it is also vulnerable to brute force attacks. It is an outdated file and is no longer used by many plugins or themes. It has been included in WordPress for backward compatibility and is relatively safe to disable.

7. Review and remove unused user accounts regularly

Hackers often target dormant accounts because they don’t realize that their accounts have been hacked until they receive an email from Facebook informing them that their account has been compromised. Furthermore, dormant accounts tend to use the same passwords for long periods, making them easy to crack.

Therefore, review user accounts regularly, and remove any that aren’t in active use. For extra credit, ensure that each account has the minimum user privileges needed to manage their account. It is foolhardy to make everyone an admin, for instance. 

8. Consider geoblocking in WordPress

We recommend caution when using geoblocking, but it may be worth trying. It would be helpful only if you didn’t anticipate any legitimate users from there. If you see many bots coming from a particular location, you may want to block that entire country.

Also, beware of bots that may not be able to access that region. For example, Googlebot can operate anywhere in the world, and so you want Googlebot to be able to access your site.

9. Disable directory browsing

Most WordPress core folders and files are openly accessible via a browser by default. For example, if you type your website. Com/wp-includes into the address bar of your web browser, then the entire contents of the wp-includes folder will be immediately visible to you.

Directory browsing itself isn’t a vulnerability, but it can reveal information about a site that can then be used to exploit vulnerabilities. The /wp-conten­t/plugins and /wp-content/themes folders contain plugins and themes, and a hacker can see which plugins and themes are installed and their version number. Directory brute force is a less common type of brute force attack than dictionary attacks.

Therefore, it makes sense to disable directory browsing altogether as a safeguard.

Things you will read elsewhere but should avoid doing

There is a lot of bad security advice out there. Some of it is well-intended, but some of it isn’t. So, we’ve also listed some things not to do as well.

  • Password protect a wp-admin directory: Don’t do this at all. It appears in virtually every brute force prevention article, so there’s no need to repeat it here. The WordPress password protects the wp-admin folder by default, which breaks AJAX for non-authenticated users. If you want people to be able to search for something on your website, you should add a search bar. If a visitor uses the search box to search for products, only the search result page will reload, not the whole website. It saves time and improves the user experience of websites by making them load faster and be easier to use. You will also see many workarounds for including the admin-ajax file, but they don’t always work perfectly. The bottom line is that the workarounds’ effort does not reflect a commensurate amount of security. Therefore it is a massive step for little additional benefit. 
  • Changing your wp-login URL: You see this advice often in WordPress hardening articles. We strongly recommend against changing the URL for your login page because it is nearly impossible to recover if it ever gets lost.
  • Avoid using admin as a username: Since brute force bots are effectively trying to guess the username and password combinations, there is some value in avoiding obvious usernames like admin. However, this measure is of limited value, and we advise against spending too much time and effort here. WordPress doesn’t allow you to change usernames from the dashboard, so you must install a plugin. There are other ways to recover usernames from specific sites, like membership ones. The effort needed to have unique usernames for members, enforce the policy, and then deal with the inevitable fallout when people forget their unique usernames is not worth the limited beneficial effect.

Impact of a brute force attack on WordPress

There are two ways to think about the effects of a brute force attack.

Firstly, what happens during an attack, and what happens if an attack is successful. 

The first question isn’t usually asked with most attacks because there is little or no impact on the website. Once an attack has been successful, the consequences become apparent. However, that is not the case with a brute force attack.

What happens when your site is being brute forced? 

You will immediately notice a difference in server resources. The server has to handle each request individually because the attack is flooding your login page with requests at an extremely high rate.

 Therefore you will see all the effects of increased server usage on your website: a slower website, some users being unable to log in, downtime, inaccessibility, etc. If you’re using shared web hosting, you should be aware that your host may limit your server usage because it will affect their metrics.

If the brute force attack is successfully carried out, what happens?

There are several reasons hackers might want to gain access to your website. None of these are good. If the attack is successful, you can expect to see malware or some sort of defacement.

Your website could become part of a botnet and be used to launch attacks against other websites without your permission. If your website becomes part of a botnet, other security systems may flag your website as malicious.

Dealing with the consequences of WordPress brute force attack

If a brute force attack has been successful, you should assume the worst: your website has been compromised. Therefore, your priority is to secure your website.

Here are the significant steps you should take to contain the damage: 

  • Force log out all users and change all passwords.
  • Scan your website for malware immediately

Once you are sure your site is clean of malware, implement the prevention measures listed above. 

Types of brute force attacks

Brute force attacks are different from other threats and attacks, like social engineering attacks or XSS attacks. Brute force attacks rely on weak or stolen credentials to succeed. Social engineering attacks, like phishing, manipulate people into sharing their credentials by posing as a trusted entity, whereas XSS attacks exploit vulnerabilities on the website.

You’ll see a few flavors of brute force attacks in the wild. They all follow the same trial-and-error pattern, but the credentials they try or the mechanism they use can vary. Here are a few of the most common types of brute force attacks: 

  • Simple attacks: Simple brute force attacks use logic to guess credentials based on their knowledge of the user, like pet names or birthdays gotten from social media sites, for example.
  • Credential stuffing: This type of attack uses data obtained from breaches, operating under the assumption that users tend to use the same usernames and passwords across multiple systems.
  • Dictionary attack: As the name implies, these bots use dictionary files for passwords. This can be an actual dictionary or one specially created for password guessing.
  • Rainbow table attacks: Similar to a dictionary attack, a rainbow table is a special kind of dictionary list. Instead of a list of passwords, a rainbow table contains a list of hashed passwords instead. 
  • Password spraying: This attack is logically a reverse brute force attack. In typical brute force attacks, a particular username is a target, and the guessing game is played with the password. Conversely, a list of passwords is tried against multiple usernames with password spraying to find a potential match. It is a more distributed attack as compared to a targeted one. 

Other good security practices

Preventing brute force attacks in WordPress is an admirable goal, but it is only a part of website security.

Here are a few of our top recommendations to keep your site safe and free of malware: 

  • Install a security plugin with a good malware scanner and cleaner
  • Keep everything updated
  • Invest in daily backups

Final Thoughts

Brute force attacks can debilitate a website, even if they are not successful. The best way to deal with this potential threat is to install a firewall that has integrated bot protection, like

Even if a brute force attack has been successful, will help you detect malware quickly and remove it. As is the case with all infections, quick action limits damage significantly. helps entrepreneurs and business owners protect their businesses by providing high-quality website security solutions so you can sleep soundly at night.