Additional menu

How to Protect WordPress from Brute Force Attacks

How to Protect WordPress from Brute Force Attacks

Geek Flare Blog post is sponsored by Netsparker Web Application Security Scanner.

Attacking website using Brute Force is an old technique and still, exists on the Internet.

Brute Force attacks can take your website down and disrupt your online business if necessary prevention tool is not in place.

Brute Force attack can be applied either using human or bots by continuously trying to log in with guessed credentials into your WordPress website.

This gets worse when the login page is not protected, and some of the research has noticed thousands of login attempts to wp-login.php per minute.

Let’s take a look at graph by SUCURI.


More than 1 million attacks per hour are protected by SUCURI.


That’s huge!

A few days back, I received 42 emails notification about site lockout due to brute force attacks. So this can happen to you.


There are multiple ways to prevent brute force attack; here are two of them, which you can follow.

Hide WordPress Login

One of the first things after setting up your website you should consider doing is to hide the login area.

By default, WordPress login page is available as:

  •  /wp-login.php
  • /login
  • /wp-admin
  • /admin

Knowing the technologies, you are using is easy these days.

So if bad guys know you are using WordPress and login area is not hidden then they can easily access login page and prepare for a brute force attack.

Let’s hide the WordPress login area with following plugins. You can use any one of them.

WPS Hide Login

WPS Hide Login is a lightweight plugin with active installed over 40,000. This plugin will help you change the login URL to anything you wish.

After changing the login URL, if someone try to access wp-admin/wp-login.php/login/admin then it will throw 404 error page.

Rename wp-login.php

Another very lightweight plugin with over 100,000 actives installed to solve the purpose. Change the wp-login.php to anything you want but don’t forget to remember the one you change it.

Don’t worry about what will happen if you disable or uninstall the plugin. The login page will be restored the default WordPress one.

iThemes Security (Better WP Security)

Better WP Security is not just to hide the login area but a complete suite of WordPress security. If you are already using this plugin, then this is how you can use to hide the login area.

If not using yet, then you may try it. It’s one of the very popular plugins with over 700,000 active installed.

Assuming you have already installed the plugin.

  • Login to your WordPress
  • Go to Security >> Settings
  • Select “Hide Login Area” next to Go to drop down


  • Enter the URI you want to use to access to admin page


  • Click on “Save All Changes”

Don’t forget to test by accessing admin page with the one you changed just now.

Above three plugins should be able to help you with hiding WordPress login area.

Let’s take WordPress security further with 2-factor authentication.

Implement 2-factor Authentication

2-factor authentication adds an extra layer of security to your WordPress website. Along with your credential, you also need to supply the one-time password (OTP).

This is achievable by using following plugins. Pick the one you like.

Google Authenticator for WordPress

Use Google Authenticator plugin to generate a one-time password and to be used every time your login. This will add a box in Login form to enter the OTP generated by Google.


Note: to use Google Authenticator, you must have a phone with installed Google Authenticator apps.

Once you have apps installed, you can set up the account and all set!

These techniques you can apply to your WordPress website to protect from brute force.

However, you may also use Cloud-Based Security Provider, which protect from brute force and many other vulnerabilities.

You may consider any one of the following.


Incapsula by IMPERVA is complete website security & performance solution powering thousands of websites including some of the following popular sites.


Incapsula offers a free plan and has 28 data centers worldwide. So if web security is your concern then go ahead and try Incapsula.

Cloud Flare

One of the most popular CDN and Security companies powering more than 2,000,000 web properties faster and safer.

If you are struggling with slow loading website and weak security, then go ahead and try Cloud Flare.


SUCURI is specialized in website antivirus and firewall. They help you to stop hack attempts, stop a DDoS attack, clean hack and complete security to your website.

WordPress security by SUCURI is probably the only thing you need to secure your WordPress website from Brute Force and many other security vulnerabilities.

Above three cloud-based security provider not only help you WordPress but also any other platform like Joomla, Drupal, PHP, etc.

I hope now you have an idea of protecting your website from brute force and many other security vulnerabilities.

Stay secured!

Reader Interactions

Chandan Kumar
About Chandan
Chandan Kumar is the founder of Geek Flare. Learn more here and connect with him on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *