Protect Your WordPress Site From Brute Force Attacks

A brute force attack preys upon your website’s greatest weakness: the people who use it. It doesn’t involve sophisticated SQL injection or XSS techniques. An attacker simply guesses usernames and passwords until they get one combination right.

For high-traffic blogs, a disabling brute force attack causes significant service and revenue disruptions. Fortunately, simple precautions will defend your WordPress site from brute force attacks. In addition, get knowledgeable about the security of your hosting provider. For example, learn more about AWS security options if you host your WordPress site with Amazon.

Protect Your WordPress Site From Brute Force

Protect Your WordPress Site From Brute Force

1. Change Your Admin Username

If you started using WordPress early in its development, your admin username defaulted to “admin.” That’s why attackers start by probing “admin” as a username when they try a brute force attack. You have a couple of options for changing your username: setting up a new admin account or using a plugin.

Create a New Admin Account

1. Open your Dashboard. Hover over “Users” and choose “Add New” from the popup menu.

2. Complete the form. Fill in a new username and password, along with the other requested information. On the dropdown menu next to “Role,” choose “Administrator.” Then, click” Add New User.”

3. Delete your old admin account. On the Dashboard, click “Users.” Place a check in the box beside your old admin account, and then choose “Delete” from the Bulk Actions menu. When prompted, transfer all posts from the previous admin account to your new admin account.

Change Your Username With a Plugin

Download “Admin namer extended” by searching for it on your Add Plugins page. Alternatively, you can click here to download the .zip file. Once it’s installed, select the plugin and simply type in a new username to replace the generic “admin” username.

2. Use Plugins to Fend off Brute Force Attacks

In addition to eliminating your admin username, use plugins to add tests or two-factor authentication to the login process. You can also use plugins to limit the number of times an attacker can attempt to login.


Adding a CAPTCHA plugin requires anyone logging into your site to type in a one-time code to access your site. The plugin Captcha by BestWebSoft will require everyone who logs into your site to complete a simple arithmetic problem to gain access.

Google Authenticator

Step up to two-factor authentication by incorporating Google Authenticator codes into your login process. After you download and install the WP Google Authenticator plugin, users will be prompted to enter a Google Authenticator code at login.

To get the code, they’ll need to download the Google Authenticator mobile app to their Android, iPhone, or BlackBerry mobile devices. Then, you’ll need to set up WP Google Authenticator on your WordPress account by visiting “Settings” and then “Authenticator” in your Dashboard. Check the appropriate boxes to authorize the plugin and to force use, and then click “Save.” When users login, they open their Google Authenticator app, where they’ll see your website’s name and a numerical code. They enter the code in the appropriate field on the login screen to access your WordPress site.

Limit Login Attempts

If you use a managed hosting provider, your provider might install a Limit Login Attempts plugin by default. If not, try a plugin called Brute Force Login Protection, which will limit the number of times anyone can login to your account before their IP address gets blocked.

Keep in mind that the same plugin limiting login attempts for brute force attacks will also block your IP address if you type in the wrong password too many times. Make sure you keep your password in a safe place, or use a password manager to store your WordPress password.

3. Create a Strong Password

Nothing protects your WordPress site like requiring strong passwords from yourself and your users. Use one of these options to design a good password:

  • Mix of letters, numbers, and symbols. Use a blend of upper-case and lower-case letters, numbers, and symbols to design a strong password.
  • A memorable phrase. String together some unrelated words, like carenvelopetrombonecat. This option gives you a password that’s tough for attackers to crack and also easy for you to remember.

Add the Force Strong Passwords plugin to require all users to construct strong passwords. By doing so, you’ll prevent attackers from brute forcing any account associated with your site.

4 thoughts on “Protect Your WordPress Site From Brute Force Attacks”

  1. Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

  2. Hey Pradeep! Howdy?
    Coming back to your blog after a long time.

    Brute force, DDOS and all kinds of attacks were high on Indian blogs and Govt websites during the world cup when Pakistan lost to India. This is the age of cyber warfare.North korea hacking Sony and China and U.S following the suit.

    But luckily, using WordPress gives us some defence. Due to the large community of developers and availability of plugins to fend off attacks. I recommend Ninjafirewall Plugin and WPsecurity, they both make the site a lot more safer and the Ninjafirewall plugin even alerts you via mail when any core wordpress file is changed or when there is attack.(I guess the other one too does that)

    While you mentioned to use plugins in the post, I’m curious why you did’t recommend any plugin for the same. Anyways, nice writeup.

  3. Nice tips, Pradeep.
    You can also try to password protect your WordPress admin directory and whitelist your IP address, if you have static IP to protect your websites from external attacks.


Leave a Comment