Limiting the impact of brute force attacks against your WordPress site

Brute force attacks against WordPress are disruptive even if you use secure passwords and two-factor authentication. Here’s how you can stop them in their tracks.

By Graeme Caldwell, writer, Nexcess

Brute force attacks are a problem for any site with user accounts, including WordPress sites. Brute force attacks are the least sophisticated technique in the hackers’ toolbox. When bots find an accessible login page, they try to guess a username and password combination that will grant them access. The bots use dictionaries of passwords drawn from leaked password databases to increase the odds of guessing correctly (some would argue that we should call this type of attack a dictionary attack, but the distinction isn’t meant for this article).

Brute force attacks are effective because many users don’t choose secure passwords. If users follow basic guidelines when creating passwords, or, even better, use a password generator, the chances of a bot guessing the right password are tiny. A sufficiently complex password takes centuries to guess.

If you can’t trust users to choose secure passwords, two-factor authentication should be used. TFA plugins like Google Authenticator make it impossible for a brute force attack to succeed even if the right password is guessed.

But brute force attacks can still cause problems for WordPress sites that have secure passwords and use two-factor authentication. Every login attempt consumes server resources and a brute force attacker may try to log in many times a second.

In addition to TFA and secure passwords, it’s a good idea to stop attackers from trying to log in repeatedly, and there are several ways to achieve that goal.

Move  the login page                                                                             

Brute force bots are not the most sophisticated pieces of software, and moving the login page to a different URL is often enough to stop them in their tracks. The Move Login plugin does just that, moving the login page to a URL of your choice.

Rate  limit  login attempts                                                                       

Unless you are using a password like “12345” or “password”, both of which will be tried immediately, it takes many attempts to successfully guess even a fairly simple password. Limiting the number of login attempts that can be made from an IP will massively decrease the number of guesses that can be made each second.

In addition to many other security features, the wordfence Security plugin allows you to limit the number of login retries and logs suspicious login attempts.

Whitelist  ip  addresses                                                                     

Every machine that tries to log in to your  WordPress site has an IP  address. Rate limiting works by monitoring how many times an IP attempts to log in and blocking it if it is suspicious. It is also possible to block all ips except those you trust, whitelisting only ips you want to be able to log in.

For most WordPress sites, this isn’t a good idea because you don’t know in advance which ips users will connect from. But, if you are in the rare situation of knowing which ips everyone who uses your site connects from, this technique can be effective.

To whitelist ips, you will need access to your site’s .htaccess file. If you don’t know what that means, I would advise against using whitelisting — you might end up blocking everyone or creating more security issues than you solve.

If you’re confident you know what you are doing, add the following to your site’s

.htaccess file.

<ifmodule mod_rewrite.c> rewriteengine on

Rewritecond %{REQUEST_URI} ^(.*)?Wp-login\.php(.*)$ [OR] rewritecond %{REQUEST_URI}  ^(.*)?Wp-admin$ rewritecond %{REMOTE_ADDR} ^REPLACE_WITH_IP$ rewritecond %{REMOTE_ADDR} ^REPLACE_WITH_IP$ rewriterule ^(.*)$ – [R=403,L]


Replace the section of text that reads “REPLACE_WITH_IP” with the IP you want to whitelist. There are two whitelisting rules in the example, but you can have as many as you want by adding more copies of that line.

These techniques will limit the impact of brute force attacks against your site, but they aren’t a substitute for using long and complex passwords and two-factor authentication.

About the Author

Limiting the impact of brute force attacks against your WordPress siteGraeme Caldwell — Graeme works as a blogger for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess, Like them on Facebook and check out their tech/hosting blog,



April 15, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!