Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security and WordPress Last updated: September 6, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Attacking a website using Brute Force is an old technique and still exists on the Internet.

Brute Force attacks can take your website down and disrupt your online business if necessary prevention tool is not in place.

Brute Force attack can be applied either using humans or bots by continuously trying to log in with guessed credentials into your WordPress website.

This gets worse when the login page is not protected, and some of the research has noticed thousands of login attempts to wp-login.php per minute.

Let’s take a look at the graph by SUCURI.


More than 1 million attacks per hour!


That’s huge!

A few days back, I received 42 emails notification about site lockout due to brute force attacks. So this can happen to you.


There are multiple ways to prevent brute force attacks; here are some of them, which you can follow.

Hide WordPress Login

One of the first things after setting up your website you should consider doing is to hide the login area.

By default, a WordPress login page is available as:

  •  /wp-login.php
  • /login
  • /wp-admin
  • /admin

Knowing the technologies you are using is easy these days.

So if bad guys know you are using WordPress and login area is not hidden, then they can easily access the login page and prepare for a brute force attack.

Let’s hide the WordPress login area with the following plugins. You can use any one of them.

WPS Hide Login

WPS Hide Login is a lightweight plugin with active installed over 400,000. This plugin will help you change the login URL to anything you wish.


After changing the login URL, if someone tries to access wp-admin/wp-login.php/login/admin, then it will throw a 404 error page.

iThemes Security

A premium plugin offers comprehensive WP security protection.


iThemes let the bad guys out. Some of the notable features are:

  • Brute force protection
  • Lock suspicious users
  • Hide login URL
  • Two-faction authentication
  • Malware scanning
  • Database backup

With minimal setup, you are good to go.


GDPR ready, Malcare is an all-in-one security protection plugin for WordPress. It offers login protection round the clock and keeps the malicious traffic away.


Not just brute force protection, but Malcare offers other features such as malware scanning, malicious code removal, smart web firewall, one-click hardening, etc. You can get it started from as low as $99 per year. Its worth investment to secure your online business.

Implement 2-factor Authentication

2-factor authentication adds an extra layer of security to your WordPress website. Along with your credentials, you also need to supply a one-time password (OTP).

This is achievable by using the following plugins.


A fantastic and lightweight plugin lets you implement two-factor authentication for WP administrator, contributor, etc.


You can set up email-based, Google Authenticator, U2F based authentication.

Google Authenticator

As the name says, you can use this plugin if you are looking for Google Authenticator based OTP login.


Once you enable the plugin and set up the authentication, you should see the above screen during login to your WP admin.

The above techniques are plugin-based, but you may also consider using Cloud-based security provider protection.

Cloud-based Security

Why Cloud-based security?

Using a plugin to secure your site means all the traffic, including bad ones, reaches to the WordPress servers. Imagine, you receive a large number of useless traffics.

By using cloud-based protection, your WordPress server receives only legitimate traffic. All the bots, spams, suspicious requests get terminated at a security provider network.

Sounds good?

There are few options but two of the popular ones as the following.


SUCURI is specialized in website antivirus and firewall. They help you to stop hack attempts, stop a DDoS attack, clean hack, and complete security to your website. Including brute force attack protection.


WordPress security by SUCURI is probably the only thing you need to secure your website from Brute Force and many other security vulnerabilities. The good thing about SUCURI is it supports many other platforms like Joomla, Drupal, Magento, PHP, so in case you change the website technology in the future, you don’t need to spend another $$ for security.


One of the popular CDN and security providers. Cloudflare WAF is included in the PRO plan, which costs $20 per month.


You get all the standard security protection like DDoS, OWASP top 10 vulnerabilities, spam, evil bots, brute force, etc.


Securing your site is essential, and if you are looking to mitigate brute force attacks, then one of the above-listed plugins will do the job. However, if you are seriously looking for a complete security solution, then go with cloud-based security. It is worth it!

Stay secure!

  • Chandan Kumar
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder