Brute Force Attacks on WordPress

BIG linden > Insight & Innovation Articles > this article: Brute Force Attacks on WordPress

Brute Force Attacks on WordPress

Brute force attacks… the scary and very real threat for WordPress website owners. If a person figured out your WordPress username and password, your site could be destroyed, taken hostage, or simply be deleted.

As terrifying as it is, when your website is the target of a brute force attack, there are certain precautions you can take to mitigate your risk.

The screen used to sign into WordPress, where attackers typically inject their attack, the login screen is essentially the brute force attack vector
Brute force attacks on WordPress websites generally take advantage of common username and password combinations.

You wouldn’t intentionally leave the door unlocked at the office, so why wouldn’t you lock the website?

Take these steps to make your WordPress website more resilient to potential attacks.

What is a Brute Force Attack?

Let’s start with the basics. Essentially, a brute force attack is a technique hackers use to gain access to your WordPress website by guessing the password for your administrator account. It is regarded as the most basic type of attack, but also the most common.

There are a variety of ways to compromise your WordPress website: finding a vulnerability in the website’s code, tricking your site’s users into revealing their password, or even hijacking a users computer with a key-logger on a target’s computer and stealing the password.

Since 2018, the FBI estimates over 100,000 businesses have experienced some form of brute force attack that was successful. Other estimates suggest that 98% of businesses experience an attempted brute force attack weekly!

Interesting attack vector modeling… almost looks like art. Brute force attacks are easily modeled.

What differentiates brute force attacks from other cracking methods is that brute force attacks don’t employ an intellectual strategy; they simply try using different combinations of characters until the correct combination is found. 

Sorce: Cloudflare

Hackers or attackers are pretty lazy. They resort to lazy methods: guessing, or guessing a lot.

As many people have usernames and passwords that are very easy to guess, it is surprisingly quite effective.

And that is exactly what a brute force attack on WordPress is: a hacker tries the most common usernames and passwords… over and over, until they make it in.

Protecting your website against brute force attacks is just one of many efforts used by engineers to secure your website, and just a part of what makes up a WordPress security plan for your organization’s website.

To make this faster, hackers will use automated programs to guess for them. These tools will guess hundreds of combinations in a few seconds. Running through a list of common passwords, they try for an easy win. If the attempt fails, they may either move on. Determined attackers will even use random combinations of words, letters, and symbols until they get it right.

Weak passwords can take as little as .33 milliseconds to crack.

Is WordPress vulnerable to Brute Force Attacks?

WordPress Logo in white letters on black background - used here to symbolize the topic (WordPress) and graphically represent the WordPress topic

Yes. Any software is vulnerable to this type of attack.

WordPress runs over one third of the web. This popularity make it a likely target for attackers.

“This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.”

The brute force security vulnerabilities in WordPress are universal — all software protected with a password is vulnerable to a brute force attack.

Really, all they have to do is guess your username and password, and they have access to anything and everything.

Protecting Your WordPress Site from Brute Force Attacks

Preventing Brute Force Attacks on WordPress - our guide to preventing brute force attacks on wordpress websites.

Taking just a few extra precautions yourself and you’ll fend off the brunt of these attacks. When using WordPress, the platform includes basic security precautions to protect you.

Let’s get into the best ways to protect your WordPress website from brute force attacks:

1. Choose a strong password

The best prevention for brute force attacks on a WordPress website isn’t complex software, firewalls, or any other ‘trick’. The very best thing you can do to protect your website from brute force attacks is simple: choose a strong password.

We’ll repeat that: choose a strong password!

Our tips for choosing a solid password:

  • Try the in-browser password generator for a complex password
  • Minimum 6 characters long! No exceptions.
  • Mix of capital and lowercase letters, include numbers, and some symbols.
  • Don’t mix passwords. Never use the same password for more than 1 website, especially your own WordPress.
  • Unless you’re planning your retirement, don’t use common usernames or passwords.
  • Don’t be inspired! No personal information: name, address, dates, or even the name of your pet. This will be the first thing someone who knows you will try.
  • More tips from one of our engineers working at Harvard here.

A strong username and password will stop 99% of all brute force attacks.

Protect yourself by creating strong passwords that are unique and hard to guess. Use 2-step verification where it is available, manage all your passwords in a password manager, and NEVER share your password with anyone else.

2. Install a firewall plugin

With any WordPress website, a security and firewall plugin is essential.

WordPress firewall plugins are invaluable tools to detect malicious traffic. Many give you the tools to block suspicious IP addresses.

Some recommended firewall security plugins for WordPress:

[See our full recommendations for WordPress security plugins]

Whichever security plugin you choose, you’ll be better off, and certainly better secured, than if you had not bothered to install a security plugin for WordPress.

3. Hide the Login Page

By default, WordPress designates the url /wp-admin/ as the login page. Protecting your WordPress login page is crucial to slowing attacks from any vector. Brute force attackers take advantage of this. If an attacker doesn’t know where to login, it is going to be harder for them to attack your website.

Simply moving the page won’t trick everyone. There are other ways of finding the login page, but most attackers would not bother.

There are several options for WordPress plugins that move or hide the login page. WPS Hide Login allows you to change your login page URL, simple as that. No one will be able to access the normal login pages. While there are workarounds, this will put a stop to most hacking attempts.

4. Enable Two-Factor Authentication

Two factor authentication adds an extra step to logging in.

Most two factor authentication systems send a text or notification to your phone with a code to enter. Involving another device, like a phone, is the best way to prevent brute force hack attempts on a WordPress website.

Among its other security features, Wordfence includes two-factor authentication.

5. Limit Login Attempts

Brute force attacks rely on the ability to test dozens or even hundreds of username and password combinations as quickly as possible. For a standard installation of WordPress with no security plugins, the only thing slowing down this attack is your server capacity.

Limiting login attempts on your WordPress website means that when an attacker uses the wrong password a few times in a row, they will be locked out. This prevents them from trying many combinations. The attackers software cannot continue to try new combinations. The attacker is essentially defeated, and they generally move on to weaker targets.

How to limit login attempts on WordPress

The best and easist way to lmit login attempts on a WordPress website install a plugin. Plugins are available to lmit the number of attempts that a user can try before they are locked out.

Plugins that limit login attempts on WordPress:

Any of these will help take care of this vulnerability and all easily limit the login attempts on WordPress.

To create a strong password that is easy to remember, use a mix of alphanumeric characters, upper- and lowercase letters, symbols if the system allows it (as long as spaces are not used), choose an acronym for an easily memorable phrase or quote and replace certain letters with numbers or symbols. You may also want to incorporate the first few letters of a website into your password if you are creating one for that particular site.

For best password security, do not use common words such as names, ID numbers or user IDs in any form; avoid passwords that contain fewer than 8 characters; do not use names from popular culture or acronyms associated with geography via products; refrain from using single words preceded by digits and/or punctuation marks. Combining all these techniques will result in a strong but easy-to-remember password!

6. Keep WordPress Updated

Updating WordPress and keeping WordPress updated should probably be number 1 in any WordPress security defense. The truth is, however most brute force attacks don’t take advantage of outdated software.

Stop Brute Force Attacks in WordPress

A hacked WordPress website can be devastating to any business. Having to rebuild from scratch may be the only choice.

Using a complex secure password is always the best security you can have.

If you’re really worried about your website and think about website security a lot, you should probably explore our website and learn more about what we could do for you.

For starters, we could help you stop worrying about your website and let you get back to your real responsibilities… check out how WordPress management services (like, full-service, never-worry-anymore…) could be lifechanging for you and maybe even let you get your job done. Our engineers are experts in WordPress security, WordPress maintenance, and supporting your organization’s mission online.

Read Next:

Table of Contents

About the Author

Katrina Pfitzner

Katrina Pfitzner

Katrina is a developer, designer, author, and thought leader on topics including Security and WordPress. For more from Katrina, find her on twitter and follow her on medium.

All Posts
Matt Blalock

Matt Blalock

Matt Blalock is an accomplished Creative Director and Marketing Consultant, known for pioneering BIG vision and brand direction for leading organizations.

More Security and WordPress Insight

Security and WordPress support docs

Capabilities related to this Security / WordPress article

Make your next WordPress site migration stress-free. Migration services global organizations depend on.
Simple, stress-free WordPress website maintenance with world-class support.


Get a 30 minute 1:1 consult with a BIG consultant and get a 7 page report on making digital work in your organization with key insight into paths for success and playbooks just for your unique needs.

Please understand not all requests can be met. Please contact us with any questions.