Brute Force Attacks and WordPress


WordPress is a leading Content Management System used by around 27% of all websites. As its market share grows, more and more attacks target WordPress sites. A common type of attack is called “Brute Force.” In this method, the attacker simply guesses combinations of usernames and passwords repeatedly until they find success. Most often, these attacks are made by bots.

There are some simple ways to avoid penetration by a Brute Force attacker. Prevention is managed at two primary levels: Firewall-level, and WordPress-level.

brute force attacks

Firewall-level prevention

One of the best ways to prevent Brute Force attacks is using a firewall. If you manage multiple sites on the same server, the protection you put in place at this level will protect all your sites. Additionally, if attacks like this can be mitigated at the server-level, this protection won’t have to be processed by PHP/WordPress, which means fewer server resources are being used.


CloudFlare is a reverse-proxy service. In this scenario you direct your site’s nameservers to point to CloudFlare, and manage the A records or CNAME records from your DNS provider at the CloudFlare level. This option is ideal for a few reasons. First, CloudFlare masks your site’s “Origin IP,” or the IP address of the server where your site’s content is hosted. The IP masking prevents attackers from sending attacks directly to your server and bringing your site down.

On top of the natural benefits of using this service, CloudFlare offers a rate-limiting option. Using “Protect Your Login,” you can configure rules that will block IPs if they have made POST requests to your login page within the last 5 minutes.

The benefit of blocking the IP addresses with CloudFlare is that the attackers don’t even have to touch your site to get denied. So, no server resources on the server where your site is hosted will be used.

Sucuri WAF

Sucuri WAF works similarly to CloudFlare in that it offers protection as a reverse-proxy. Using Sucuri WAF will also mask your site’s origin IP, and block IP addresses before they can reach your origin server. The difference between the two is that Sucuri is a leader in website security. Meaning, their service is geared specifically towards security, protection, and compatibility. Additionally, they offer more configuration options specific to security overall.


HiveWind is a DDOS Mitigation service that sits in front of your site’s server as well, as a Cloud Load Balancer. Their services cover a large number of attacks that might affect your site, and the layer is cloud-based. The HiveWind firewall can automatically detect bad-actors like Brute Force attacks and botnets. The large difference between HiveWind and its competitors is that it cumulatively blocks attacks. That means if an IP has attacked another site, it’s blocked for all users on HiveWind’s service. And unlike many other DDOS services, even the enterprise-level services are flat-rate no matter the scale of the attack.

If you want to try HiveShield DDoS protection on your own server, use the coupon code TCHGRLKB. This coupon code is good for 8 cores/$50 a month OR 16 cores/$100 a month, each with a free 30 day trial – a 50% savings!


Incapsula is a reverse proxy system used as a CDN to sit in front of your origin server. While the setup process can be trying sometimes, the end result is a thoroughly-secured website. Their IncapRules security system uses advanced detection to identify whether the user is a bot, and block sessions. And, what’s unique about Incapsula’s system is that it allows you to configure the protection to be as aggressive as you want. They also offer a resiliency score to test whether your site is ready to handle a DDOS or not.

WordPress-level prevention

If firewall-level protection isn’t possible, you can begin looking at WordPress-level protection. While this kind of protection leaves your server resources more vulnerable, it’s still helpful. The attackers will still be denied. But, making WordPress do the heavy-lifting is more taxing on your server.

Below we’ll cover some common options for your WordPress site. These options are still helpful to block potential brute force attackers on your site.


The WordFence security plugin is an easy way to automatically block attackers. Using their settings, you can force users to set strong passwords, lock users out after failed attempts, and automatically ban users who try common usernames. One of the most common usernames is simply “admin.” With this plugin you can block anyone who tries this user. Read their blog post for more information.

Sucuri Security

Using the Sucuri Security plugin you can block Brute Force attacks. And not only this, you can also use their services to scan for malware and actively track file changes. What’s unique about this plugin is the level of logging it offers. Plus, the logging doesn’t go to your local database. It’s stored securely with Sucuri themselves. The Brute Force detection is best when used with their WAF mentioned above.

iThemes Security

The iThemes Security plugin (previously known as Better WP Security) is one of the widest-used security plugins. It offers 30 different ways to secure your site. One of these options includes moving your login page to a different URL. Since many Brute Force attacks rely on the login page being called “wp-login.php,” this alone can defer many attacks. Like HiveWind, iThemes security uses a brute force detection network. So, if one IP is blocked on another site, it’s blocked for yours too.

All-in-One WP Security

The All-in-One WP Security plugin offers a cookie-based detection of bots and brute force attacks. Since bots generally do not load assets like cookies, javascript, or css, this allows them to block bad actors. And, unlike other plugins, this one allows you to block attackers by IP address or user-agent. It also includes a “captcha” which makes the user prove they are human.

Hide Login Plugins

There are a number of plugins which will rewrite your login URL. Some common examples include: WPS Hide Login, Rename WP Login, and Loginizer. A single-function plugin like this is not always the most ideal. For instance, if you use page caching on your site, you’ll need to ensure your new login page is uncached. But, these plugins will deflect some brute force attacks simply because bots won’t know where to login.

WordPress Best Practices

Last, to prevent Brute Force attacks you should follow some simple best practices. This list will help prevent many kinds of attacks.

Don’t use the username “admin.”

This is the most commonly-used username in existence. Since Brute Force attackers need to guess your username and password, using this username gives them half the equation right away. Be smart! Choose a more unique username.

Use a captcha.

Captchas are usually image or math-based forms for testing whether a user is a human or not. Since most brute force attacks come from bots, this simple trick will prevent most attackers.

Use 2-factor authentication.

This method means a bot would have to guess two sets of authentication, one of which is constantly changing. Google Authenticator is one of the most common options. Be sure to install the app on your phone as well! This is how the system works for authentication.

Require strong passwords.

For any high-level user on your site (like an Author or Administrator) you should require they use a complex password. These days, adding a number to the end of a word won’t cut it. You’ll want to make sure your password is long, and includes many combinations of numbers, letters, and characters. Use these recommendations when choosing a password.

Keep everything updated.

I can’t stress this point enough. The most common source of malware on sites is outdated software. New exploits in software are being found every day. Most plugins and themes will release a patch or update as soon as one is uncovered. So this means keeping everything updated is super important. This certainly includes WordPress itself. If you manage many sites, using a system like MainWP or ManageWP can help you manage updates from a single dashboard.

Never log in from a public computer.

Public computers at your library or internet cafes are not the most secure. Casual hackers may have installed software on these computers that records everything you type. You should also never choose for a public computer to remember your password.

Use SSL on your login page.

Last, using SSL encryption on any page where you enter a password is important. This encrypts the data you send over the network between your local computer and your website. Any bad actors listening on your network won’t be able to read encrypted information.


So, there you have it! A comprehensive list of methods to protect your WordPress site. And, with these quick and easy methods you can effectively prevent Brute Force attackers from accessing your site. Remember also that using a firewall or plugin isn’t everything. You also need to check the list of best practices to secure your site. With all these powers combined, you can be sure your site is safe.

Do you have more tips and tricks? Have more thoughts on Brute Force attacks? Comment below or contact me to talk more about security.

Leave a Reply

Your email address will not be published. Required fields are marked *