Brute Force Attacks WordPress

Brute force attacks on WordPress generally take advantage of common username and password combinations.

Brute force attacks… the scary and very real threat for WordPress website owners. If a person figured out your WordPress username and password, your site could be destroyed, taken hostage, or simply be deleted.

As terrifying as it is, when your website is the target of a brute force attack, there are certain precautions you can take to mitigate your risk. You wouldn’t intentionally leave the door unlocked at the office, so why wouldn’t you lock the website?

Take these steps to make your WordPress website more resilient to potential attacks.

What is a Brute Force Attack?

Let’s start with the basics. Essentially, a brute force attack is a technique hackers use to gain access to your website (WordPress) by guessing the password for your administrator account.

There are a variety of ways to compromise your WordPress website: finding a vulnerability in the website’s code, tricking user into revealing their password, or even hijacking a users computer with a key-logger on a target’s computer and stealing the password.

What differentiates brute force attacks from other cracking methods is that brute force attacks don’t employ an intellectual strategy; they simply try using different combinations of characters until the correct combination is found. 


Hackers or attackers are pretty lazy. They resort to lazy methods: guessing, or guessing a lot.

As many people have usernames and passwords that are very easy to guess, it is surprisingly quite effective.

And that is exactly what a brute force attack on WordPress is: a hacker tries the most common usernames and passwords… over and over, until they make it in.

To make this faster, hackers will use automated programs to guess for them. These tools will guess hundreds of combinations in a few seconds. Running through a list of common passwords, they try for an easy win. If the attempt fails, they may either move on. Determined attackers will even use random combinations of words, letters, and symbols until they get it right.

Weak passwords can take as little as .33 milliseconds to crack.

Is WordPress vulnerable to Brute Force Attacks?

Yes. Any software is vulnerable to this type of attack.

WordPress runs over one third of the web. This popularity make it a likely target for attackers.

“This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.”

The brute force security vulnerabilities in WordPress are universal — all software protected with a password is vulnerable to a brute force attack.

Really, all they have to do is guess your username and password, and they have access to anything and everything.

Protecting Your WordPress Site from Brute Force Attacks

Preventing Brute Force Attacks on WordPress - our guide to preventing brute force attacks on wordpress websites.

Taking just a few extra precautions yourself and you’ll fend off the brunt of these attacks. When using WordPress, the platform includes basic security precautions to protect you.

Let’s get into the best ways to protect your WordPress website from brute force attacks:

1. Choose a strong password

The best prevention for brute force attacks on a WordPress website isn’t complex software, firewalls, or any other ‘trick’. The very best thing you can do to protect your website from brute force attacks is simple: choose a strong password.

We’ll repeat that: choose a strong password!

Our tips for choosing a solid password:

  • Try the in-browser password generator for a complex password
  • Minimum 6 characters long! No exceptions.
  • Mix of capital and lowercase letters, include numbers, and some symbols.
  • Don’t mix passwords. Never use the same password for more than 1 website, especially your own WordPress.
  • Unless you’re planning your retirement, don’t use common usernames or passwords.
  • Don’t be inspired! No personal information: name, address, dates, or even the name of your pet. This will be the first thing someone who knows you will try.

A strong username and password will stop 99% of all brute force attacks.

2. Install a firewall plugin

With any WordPress website, a security and firewall plugin is essential.

WordPress firewall plugins are invaluable tools to detect malicious traffic. Many give you the tools to block suspicious IP addresses.

Some reccomended firewall security plugins for WordPress:

Whichever security plugin you choose, you’ll be better off than if you had not bothered to install a security plugin for WordPress.

3. Hide the Login Page

By default, WordPress designates the url /wp-admin/ as the login page. Brute force attackers take advantage of this. If an attacker doesn’t know where to login, it is going to be harder for them to attack your website.

Simply moving the page won’t trick everyone. There are other ways of finding the login page, but most attackers would not bother.

There are several options for WordPress plugins that move or hide the login page. WPS Hide Login allows you to change your login page URL, simple as that. No one will be able to access the normal login pages. While there are workarounds, this will put a stop to most hacking attempts.

4. Enable Two-Factor Authentication

Two factor authentication adds an extra step to logging in.

Most two factor authentication systems send a text or notification to your phone with a code to enter. Involving another device, like a phone, is the best way to prevent brute force hack attempts on a WordPress website.

Among its other security features, Wordfence includes two-factor authentication.

5. Limit Login Attempts

Brute force attacks rely on the ability to test dozens or even hundreds of username and password combinations as quickly as possible. For a standard installation of WordPress with no security plugins, the only thing slowing down this attack is your server capacity.

Limiting login attempts on your WordPress website means that when an attacker uses the wrong password a few times in a row, they will be locked out. This prevents them from trying many combinations. The attackers software cannot continue to try new combinations. The attacker is essentially defeated, and they generally move on to weaker targets.

How to limit login attempts on WordPress

The best and easist way to lmit login attempts on a WordPress website install a plugin. Plugins are available to lmit the number of attempts that a user can try before they are locked out.

Plugins that limit login attempts on WordPress:

Any of these will help take care of this vulnerability and all easily limit the login attempts on WordPress.

6. Keep WordPress Updated

Updating WordPress and keeping WordPress updated should probably be number 1 in any WordPress security defense. The truth is, however most brute force attacks don’t take advantage of outdated software.

Stop Brute Force Attacks in WordPress

A hacked WordPress website can be devastating to any business. Having to rebuild from scratch may be the only choice.

Using a complex secure password is always the best security you can have.

Any other tips for preventing brute force attacks on WordPress? Let’s hear yours in the comments.

Recent Resources

Digital Media

PR & Outreach

Influencer Marketing

Digital Media Buying

Retargeting / Remarketing

Video Production

Data & AI

AI & Machine Learning

Intent & Prediction

Competitor Insight