View Categories

How to Protect Your WordPress Against Brute Force Attack

  • Feb 10, 2022
  • 0
  • by Sarojini Nagappan

If your website is built with WordPress, keeping it secure should be your top priority. Among the many security attacks, brute force attacks, despite being an old technique, continue to be the most common. If early precautions are not taken, a brute force attack can bring your site down. Before we show you how to protect your site from these attacks, let’s define what exactly they are.

Brute Force is a website attack that uses either humans or systems to target protected information, with the main goal of obtaining login information. This blog discusses some well-known methods for preventing Brute Force attacks.

1. Hide the WordPress Admin Login Page

WordPress by default has the login page as either one of the following:

  •  /wp-login.php
  • /login
  • /wp-admin
  • /admin

Gaining access to login pages, particularly the admin login, provides hackers with unrestricted access to the entire site.

There are several ways to hide the login area, including using a plugin like WPS Hide Login, which allows you to change the admin login to another URL of your choosing. When someone tries to access wp-admin/wp-login.php/login/admin, they will get a 404 error.

WPS Hide Login

2. WordPress Two-Factor Authentication (2FA) 

A two-factor authentication gives you an extra layer of security by requesting additional identification factors like the following: 

  • A unique password (OTP) sent by SMS/e-mail
  • A phone call
  • A QR code
  • A push notification

WordPress supports two-factor authentication via plugins like the Two-Factor plugin or time-based authentication via Google Authenticator. The Google Authenticator plugin enables per-user two-factor authentication. You could enable it for your administrator account while using less privileged accounts as usual.

3. Cloud-Based Security Plugins

While traffic is beneficial to any website, excessive bad traffic depletes your server’s resources. Similarly, limiting the number of users who can enter your site at the same time protects you from distributed denial of service (DDoS) attacks. Popular cloud security plugins such as Sucuri or CloudFlare not only protect against brute force login attacks, but also other security threats such as DDoS, spam, and bots. They provide complete protection for your WordPress site. Examine the security measures provided by your hosting provider for your website.


As previously stated, a brute force attack is one of the most traditional attacks, but it remains the most common type of WordPress security attack. While plugins and other security tools are available to help mitigate security threats, it is always important to keep your WordPress up to date. This includes updating any plugins and themes, as outdated plugins or themes provide a good backdoor for hackers to attempt a security attack. If you have any questions or need any help protecting your site contact our support team today!