How to Protect WordPress from Brute Force Attacks

Attacking website using Brute Force is an old technique and
still, exists on the Internet.

Brute Force attacks can take your website
down and disrupt your online business if necessary
prevention tool is not in place.

Brute Force attack can be applied either using human or bots by
continuously trying to log in with guessed credentials into
your WordPress website.

This gets worse when the login page is not protected, and some
of the research has noticed thousands of login attempts to
wp-login.php per minute.

Let’s take a look at graph by SUCURI .


More than 1 million attacks per hour are protected by SUCURI.


That’s huge!

A few days back, I received 42 emails notification about site
lockout due to brute force attacks. So this can happen to you.


There are multiple ways to prevent brute force attack; here are
two of them, which you can follow.

Hide WordPress Login

One of the first things after setting up your website you
should consider doing is to hide the login area.

By default, WordPress login page is available as:

  •  /wp-login.php
  • /login
  • /wp-admin
  • /admin

the technologies , you are using is easy these days.

So if bad guys know you are using WordPress and login area is
not hidden then they can easily access login page and prepare
for a brute force attack.

Let’s hide the WordPress login area with following plugins. You
can use any one of them.

WPS Hide Login

WPS Hide Login is a lightweight
plugin with active installed over 40,000. This
plugin will help you change the login URL to anything you wish.

After changing the login URL, if someone try to access
wp-admin/wp-login.php/login/admin then it will throw
404 error page .

Rename wp-login.php

Another very lightweight plugin with over 100,000
actives installed
to solve the purpose. Change the
wp-login.php to anything you want but don’t forget to remember
the one you change it.

Don’t worry about what will happen if you disable or uninstall
the plugin. The login page will be restored the default
WordPress one.

iThemes Security (Better WP Security)

Better WP Security is not
just to hide the login area but a complete suite of WordPress
security. If you are already using this plugin, then this is
how you can use to hide the login area.

If not using yet, then you may try it. It’s one of the very
popular plugins with over 700,000 active installed.

Assuming you have already installed the plugin.

  • Login to your WordPress
  • Go to Security >> Settings
  • Select “Hide Login Area” next to Go to
    drop down


  • Enter the URI you want to use to access to admin page


  • Click on “Save All Changes”

Don’t forget to test by accessing admin page with the one you
changed just now.

Above three plugins should be able to help you with hiding
WordPress login area.

Let’s take WordPress security further with 2-factor

Implement 2-factor Authentication

2-factor authentication adds an extra layer of security to your
WordPress website. Along with your credential, you also need to
supply the one-time password (OTP).

This is achievable by using following plugins. Pick the one you

Google Authenticator for WordPress

Use Google Authenticator plugin
to generate a one-time password and to be used every time your
login. This will add a box in Login form to enter the OTP
generated by Google.


Note: to use Google Authenticator, you must have a phone with
installed Google Authenticator apps .

Once you have apps installed, you can set up the account and
all set!

These techniques you can apply to your WordPress website to
protect from brute force.

However, you may also use Cloud-Based Security
, which protect from brute force and many
vulnerabilities .

You may consider any one of the following.


Incapsula by IMPERVA is complete website security &
performance solution powering thousands of websites including
some of the following popular sites.


Incapsula offers a free plan and has 28 data centers worldwide.
So if web security is your concern then go ahead and try

Cloud Flare

One of the most popular CDN and Security companies powering
more than 2,000,000 web properties faster and safer.

If you are struggling with slow loading website and weak
security, then go ahead and try Cloud Flare .


SUCURI is specialized in website antivirus and firewall . They
help you to stop hack attempts, stop a DDoS attack, clean hack
and complete security to your website.

WordPress security by SUCURI
is probably the only thing you need to secure your WordPress
website from Brute Force and many other security

Above three cloud-based security provider not only help you
WordPress but also any other platform like Joomla, Drupal, PHP,

I hope now you have an idea of protecting your
from brute force and many other security

Stay secured!


Leave a Reply

%d bloggers like this: