How to Protect WordPress from Brute Force Attacks

What is a brute-force attack?

A brute-force attack is a method where the attacker automatically tries thousands of username and password combinations until they hit the right one. Bots can attempt hundreds of logins per minute, testing the most common passwords like "admin123", "password", or "123456". Because WordPress uses the standard /wp-login.php page, attackers know exactly where to target.

Even if the attacker fails to guess the password, the sheer volume of requests can slow down or crash your site. That is why protection against brute-force attacks is doubly important - it protects both your data and your site's performance.

Change the default admin username

If your WordPress account uses the username "admin", you have already given the attacker half the information they need. Always use a unique username that is not easy to guess.

WordPress does not allow direct username changes from the admin panel. Instead, create a new account with admin rights and a unique name, then delete the old "admin" account. When deleting, WordPress will ask whom to reassign the old account's content to - choose the new account.

Use strong passwords

A strong password is the first line of defense. Minimum requirements:

• Minimum 12 characters (ideally 16+)
• Combination of uppercase and lowercase letters, numbers, and special characters
• Never use the same password on multiple sites
• Avoid dictionary words, birth dates, and personal information

Use password managers like Bitwarden or 1Password that generate and store complex passwords for you. You do not need to memorize a password if the manager keeps it safely.

Two-factor authentication (2FA)

Two-factor authentication adds a second layer of protection that requires something you have (phone) on top of something you know (password). Even if an attacker guesses your password, without access to your phone they cannot log in.

Recommended 2FA plugins:

• WP 2FA: A simple plugin that supports Google Authenticator, Authy, and email codes. The free version covers basic needs.
• Wordfence: Beyond 2FA, it provides complete security including firewall, malware scanning, and real-time threat monitoring.
• miniOrange: Supports multiple authentication methods including SMS, email, push notifications, and hardware keys.

Be sure to generate and save backup codes in a safe place in case you lose access to your phone.

Limit login attempts

By default, WordPress allows an unlimited number of login attempts. This is like leaving the key in the lock and telling the thief "try as much as you want". Limiting attempts is one of the most important protections.

Limit Login Attempts Reloaded is the most popular plugin for this purpose. By default it blocks the IP after 4 failed attempts for 20 minutes, and after repeated lockouts extends the time to 24 hours. You can tune these values to your needs.

On BeoHosting, cPHulk Brute Force Protection is built-in server-level protection that automatically blocks IPs with too many failed logins, providing an additional protection layer independent of WordPress plugins.

Change the login page URL

The standard WordPress login page is always at /wp-login.php or /wp-admin. Changing this URL to something unique (e.g. /my-access) eliminates a large number of automated attacks targeting standard paths.

The WPS Hide Login plugin lets you change the login URL with one click. It is lightweight, does not modify server files, and is compatible with most themes and plugins.

Web Application Firewall (WAF)

A WAF filters malicious traffic before it reaches your site. It can recognize and block brute-force attacks, SQL injection attempts, XSS attacks, and other threats.

Cloudflare WAF: The free plan provides basic protection (see the Cloudflare setup guide), while the Pro plan ($20/month) adds advanced WordPress-specific rules.

Wordfence firewall: Runs at the WordPress application level and provides WordPress-specific protection. The free version includes basic rules, while the premium version gets real-time updates.

Sucuri: A cloud-based WAF that protects the site before traffic reaches your server. Especially effective against DDoS attacks.

Additional protection measures

Disable XML-RPC: XML-RPC is an old WordPress protocol that attackers can abuse for brute-force attacks. If you do not use it (most sites do not), disable it by adding a single line to .htaccess or using the Wordfence plugin.

Disable file editing from the admin panel: Add define('DISALLOW_FILE_EDIT', true); to wp-config.php to prevent editing themes and plugins from the WordPress admin panel. If an attacker gains access, they cannot inject malicious code directly.

Update WordPress regularly: Every WordPress, theme, and plugin update patches known security holes. Consider professional WordPress maintenance for automated updates. Enable automatic updates for minor versions and update major versions manually on a regular schedule.

Use SSL: HTTPS encryption ensures the password is sent encrypted between the browser and the server. Without SSL, someone on the same network can intercept your password. BeoHosting offers free HTTPS protection with every hosting plan.

Conclusion

Protecting a WordPress site from brute-force attacks requires multiple layers of defense. The combination of strong passwords, two-factor authentication, login attempt limits, and a firewall provides solid protection. No single method is enough by itself, but together they make your site extremely hard to compromise. Remember - prevention is always cheaper than dealing with the aftermath of an attack.