Protect your WordPress site from brute force attacks

Article directory [hide]

  • What is a brute force attack
  • Ways to fight back
    • Restrict access to the login page
    • Use plugin
    • Use CDN/Firewall
  • When it comes to safety, be proactive

Whether you are new to WordPress or an experienced developer, you may be surprised how often your website is attacked. You may also want to know who or who is doing this kind of activity-not to mention why they are targeting you.

The answer is simple. In most cases, the bad actors are automatic robots. And you are the target only because you happen to be running WordPress. As the most popular content management system (CMS), it is directly in the sight of malicious actors. Although there are various attacks around, brute force attacks are one of the most popular. And this is precisely our theme today.

Let’s take a look at what is a brute force attack and some methods that can better protect a WordPress site.

What is a brute force attack

We can see the introduction of brute force attacks from Wikipedia:

Brute-force attack (English: Brute-force attack) [1], also known as exhaustive attack (English: Exhaustive attack) or brute force cracking, is a method of cryptanalysis, that is, the password is calculated one by one until the real password is found. until.


In the real world, this means that malicious scripts will run repeatedly and enter the username and password in the WordPress login page. Hundreds or even thousands of such attempts may be seen every day.

Of course, if this is completely random, it will be very difficult to successfully log in to the website using this technique. However, these attacks can sometimes work for two main reasons:

  1. Use weak login credentials, such as a super general username and password.
  2. Use credentials previously leaked elsewhere.

If either of these two conditions exist, it will increase the chance of a successful attack. Once an attacker has accessed your WordPress dashboard, they will cause all kinds of damage.

However, even if unsuccessful, these attacks can be both annoying and a waste of server resources. Therefore, it is important to develop strategies that can help mitigate its damage.

Ways to fight back

Thankfully, there are many steps you can take to better protect your WordPress site from brute force attacks. The most basic approach is to establish common-sense security measures, such as using strong passwords and anything other than “admin” as the username. These steps alone will at least make your website more difficult to crack.

However, you can take some stronger measures, including:

Restrict access to the login page

Depending on the settings of your web server, you might consider blocking access to the WordPress login page, except for specific groups or IP address ranges. For example, on the Apache server, this can be done through the .htaccess file.

It should be noted that this strategy depends on the administrator having a static IP address. In a corporate environment, this may be the case. However, other circumstances may make this method more difficult. The official WordPress documentation has some further suggestions, which are worth a look.

Another method is to password protect the login page at the server level. Although this brings some inconvenience, it does help to ensure that only authorized users can access the dashboard.

Use plugin

There are many WordPress plugins dedicated to security, some of which provide features to prevent brute force attacks. such as:

Jetpack  ‘s “Protection” feature prevents unnecessary login attempts. (Jetpack is not recommended for domestic websites, because some resources cannot be loaded and used in China)

Wordfence employs several login-specific measures, such as two-factor authentication, reCAPTCHA and brute force protection. There is also a supporting plug-in specifically for login security.

Login LockDown is a plug-in designed to limit brute force attempts. After a certain number of failed logins, it will automatically lock the IP address in question.

iThemes Security  provides several login-related protections, including strong protection, two-factor authentication and /wp-admin/the ability to rename folders to block robots.

Use CDN/Firewall

Content Delivery Network (CDN) can not only improve the performance of your website, but also has the effect of preventing the barrier between malicious bots and WordPress.

CDN providers usually include methods to block IP addresses or even entire countries from accessing your site (or at least your dashboard). Depending on the service you use, there may also be protective measures specifically aimed at preventing brute force attacks.

The advantage of this method is that you can greatly reduce the load on the Web server. how about it? The attacker was blocked by the CDN firewall before reaching your site. This is like putting a giant fly swatter in front of the house and keeping the pests out before they enter your front door.

When it comes to safety, be proactive

Unfortunately, not taking any measures to prevent brute force login is not a viable option. These attacks are ubiquitous and unkind. And of course the scenery will not get better as it is. Therefore, we should take preventive measures.

Fortunately, this is not difficult. Although the above options are not 100% perfect, they are easy to implement. Everyone makes it more difficult for ordinary robots to achieve their goals.

Moreover, the cost of mitigating these attacks now is much lower than the cost of dealing with hacked websites in the future. Based on this alone, we should take the initiative to implement preventive measures in regions.

We have shared other security tutorials before:

  • How to improve WordPress site security?
  • How a WordPress website was hacked
  • 10 Nginx rules to enhance WordPress security
  • 15 useful WordPress .htaccess code snippets
  • 15 commonly used WordPress wp-config.php configuration codes
  • WordPress file read and write permissions recommendations
  • WordPress security management and firewall plugin: All In One WP Security & Firewall
  • Modify the WordPress background login address to improve security
  • WordPress security check and repair plugin: iThemes Security

Leave a Reply

Your email address will not be published. Required fields are marked *