WordPress Brute Force Attack Prevention

black and white image of hacker

If you’re running a website, sooner or later someone malicious will try to ‘brute force’ their way in. Even small sites have to deal with this hassle, whether it comes from bots or human hackers. That’s why brute force attack prevention is essential if you want to keep your site secure.

Fortunately, there are a lot of things you can do to prevent WordPress brute force attempts. Most of these methods are quite straightforward, which means there’s no excuse not to protect your website. A little work now can save you a lot of headaches down the road.

In this guide, we’ll explain what brute force attacks are, and discuss whether your site is at risk. Then we’ll talk about your options for protecting your site, both manually and via plugins. Let’s get to work!

What Are Brute Force Attacks?

Imagine there’s a stranger outside your home, and they have access to an almost infinite number of keys. They want to get inside, so they try key after key in the hopes that they’ll find a match. Their odds of success are pretty slim, but if you let them keep trying unimpeded and they have enough time, they might eventually force their way in.

If you replace those keys with usernames and passwords, you have a brute force attack. The good news is that landing on the right ‘key’ (or login credentials) by chance is almost impossible for a human, and very time consuming even for a machine. However, if the attacker knows at least one vital piece of data, such as your username, the process becomes easier.

WordPress is a very secure platform, but it’s so popular that websites using it tend to be targeted for brute force attacks. That means you’ll need to follow strong security practices, or you risk letting the wrong people in.

What’s the difference between Brute Force and DDoS?

A Distributed Denial-of-Service (DDoS) attack is different from a brute force attack in both its approach and its goal. DDoS attackers will bombard a site with meaningless or ‘junk’ requests. This onslaught of useless traffic is meant to overload the targeted site’s server and shut it down. 

What makes this kind of attack a ‘distributed’ is that it uses multiple compromised devices to carry out the barrage of site requests. Mobile phones infected with malware, for instance, can be used to perform a DDoS attack.

On the other hand, a brute force attack involves a hacker gaining access to your site using the method described above. Usually a bot or program will try a large volume of login credentials in hopes of breaking into an existing user account.

The goals of a DDoS attack differ from those of a brute force attack as well. DDoS attacks are typically geared toward causing a site to stop functioning and shut down. It’s not uncommon for DDoS attackers to put resources toward an attack with the intent of making money and destroying computer defenses. 

With a brute force attack, the hacker hopes to gain access to your site so they can carry out malicious acts once they’re logged in. Their specific end-goals vary. However, the important difference to note between these two types of security breaches is that brute force hackers gain entry to your site; DDoS attackers do not.

What Are the Risks of a Brute Force Attack?

If someone gains access to your WordPress dashboard using an account with administrative privileges, they can do a lot of damage. Here are some examples of what a hacker could accomplish after a successful brute force attack:

  • Steal private user information, such as names and email addresses
  • Add malicious files or links to your pages
  • Deface your website to affect its popularity, credibility, or search rankings
  • Take down your site altogether

To put it another way, if someone is trying to force their way into your home, they probably don’t have the best intentions. It’s also worth keeping in mind that it’s not just popular websites that are targets for brute force attacks. If you run any kind of website, large or small, you’ll want to consider implementing brute force protection techniques.

7 Tips to Protect Your WordPress Site Against Attacks

Fortunately, you don’t have to be a security expert to prevent hacking attempts. In fact, just following some basic best practices can do a lot to mitigate the risks. Let’s talk about seven of the best techniques!

1. Update Your Username

By default, WordPress assigns the admin username to your administrator account. This is easy to remember, but it also gives away important information to potential attackers.

Unfortunately, WordPress doesn’t enable you to change your username from the dashboard once it’s set up. If you’re already using a unique username, then you’re fine. If you aren’t, there are two ways to work around this limitation:

  1. Modify your database.
  2. Create a new account with admin privileges (and a unique username), and switch over to it.

If you use the second method, remember to delete your original account. That way, attackers can’t use it to force their way in.

 2. Use Complex Passwords

Passwords are your primary line of defense against brute force attacks. The longer and more complex your password is, the harder it will be to crack.

Here are a few strategies for using passwords more effectively:

  • Set up unique passwords for each of your accounts.
  • Create long passwords that incorporate special characters in addition to letters and numbers.
  • Consider using a password manager to keep all of your credentials safe.

In our experience, password managers can solve a lot of problems. They store all your passwords securely, and you can synchronize them across most devices.

3. Enable Two-Factor Authentication (2FA)

A basic password-and-username login system is a one-step authentication process. Adding additional credentials makes it even harder for attackers to get in, which is excellent news for you.

With 2FA, when you enter your login credentials, you’ll receive a one-time code sent to your email address or cell phone. You’ll need to enter that code before you can finish logging in. That way, attackers won’t be able to access your site unless they have your credentials and access to your phone or email.

Unfortunately, WordPress doesn’t offer 2FA functionality out of the box. However, you can add it to your website in minutes with a plugin.

4. Verify Human Traffic

Most of the time, bots do all the hard work in a brute force attempt. One simple way to stop them in their tracks is to implement a Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA). You’ve likely encountered one before.

A CAPTCHA will typically present a simple action for you to complete. These tasks are based on issues that even today’s Artificial Intelligence (AI) typically cannot handle. Differentiating distorted characters or images, for instance, is a common CAPTCHA requirement.

Once again, you’ll likely need a plugin to enable this security feature. Google Captcha is a solid choice: 

Google Captcha plugin banner

With this plugin, you can add a CAPTCHA to nearly any kind of form on your website. You can also whitelist certain IP addresses to them grant immediate access without a CAPTCHA. 

5. Hide the WordPress Login Page

By default, WordPress uses a single URL for all login pages. This makes it much easier for an attacker to find where they can start testing possible credentials. They know exactly where your ‘front door’ is. In order to deter them, it’s wise to hide your WordPress login page. 

One way to accomplish this is using the WPS Hide Login plugin:

WPS Hide Login Plugin banner

This tool enables you to change the URL for your login page. Rather than rewriting your site’s code, it simply intercepts page requests for the default WordPress login page. This should reduce the vulnerability of your site to brute force attacks and login spammers. 

6. Install a Brute Force Protection Plugin

In addition to those we’ve already mentioned, there are several other security plugins you can install to prevent brute force and other attacks. We’ll cover some of them in more detail later. For now, let’s discuss some key features to look for. 

First, a plugin that can regularly scan your site for malware and other vulnerabilities is particularly useful. Additionally, finding one that can block unwanted traffic is a simple way to keep hackers out of your site and avoid a breach altogether.

The key to preventing brute force attacks specifically, however, is limiting login attempts. This function blocks users who have tried multiple username and password combinations. Since brute force hackers often try thousands of credentials before landing on the right ones, this feature will usually stop them in their tracks. 

7. Scan Your Site Periodically

In some cases, attackers might gain access to your website before you even realize it’s happened. That’s why it’s smart to periodically scan your website for vulnerabilities and suspicious logins.

There are a lot of tools you can use to check your site for malicious files, such as the Sucuri SiteCheck service. Plus, you can always set up a plugin to keep logs of who accesses your site and when, to help you spot any unauthorized entries.

WordPress Brute Force Prevention Plugins

Along with the methods we introduced above, there are also several login-related plugins you can use to prevent brute force hacks. Before we wrap up, we’ll check out four of the top options.

Plugin 1: Brute Force Login Protection

Brute Force Login Protection plugin banner

In most cases, it doesn’t take someone dozens of attempts to log into a website unless they’re not supposed to be there. That means it can be smart to limit the number of login attempts users can make in a row. Brute Force Login Protection enables you to implement that functionality, and block repeated entry attempts from the same IP address.

Plugin 2: Limit Login Attempts Reloaded

Limit Login Attemps Reloaded plugin banner

This is a simple solution to a big security risk. Limit Login Attempts Reloaded enables you to set a limit on the number of failed login attempts a user can make before they’re blocked. There are several additional options that come with the plugin, too, such as protection for your WooCommerce login page.

Plugin 3: WPS Limit Login

WPS Limit Login plugin banner

Created by the same developers behind WPS Hide Login, this plugin enables you to limit the number of allowed entry attempts via both the login page and authorization cookies. You can also whitelist or blacklist IP addresses, protect your WooCommerce login page, and use WPS Limit Login in conjunction with Sucuri Firewall for added protection.

Plugin 4: WP Limit Login Attempts

WP Limit Login Attempts plugin banner

Similar to the previous plugins, WP Limit Login Attempts is geared primarily toward preventing or slowing down brute force attacks. In addition to setting a limit on how many times a user can try to log in, this plugin also adds a CAPTCHA after a set number of failed attempts.

Prevent WordPress Hacks with WP Engine

One of the best ways to keep your website safe is to use a Digital Experience Platform (DXP) that takes security seriously. With WP Engine, you get access to secure features that are used by a wide range of WordPress site owners.

We take care of protecting your website using automated threat detection and blocking, and we keep an eye out for vulnerable plugins. If you sign up for any of our plans, you’ll get access to these and other security features!

Get started.

Build faster, protect your brand, and grow your business with a WordPress platform built to power remarkable online experiences.