Limiting Brute Force Attacks Against Your WordPress Site


Brute force attacks against wordpress are disruptive even if you use secure passwords and two-factor authentication. Here’s how you can stop them in their tracks.

Brute force attacks are a problem for any site with user accounts, including WordPress sites. Brute force attacks are the least sophisticated technique in the hackers’ toolbox. When bots find an accessible login page, they try to guess a username and password combination that will grant them access. The bots use dictionaries of passwords drawn from leaked password databases to increase the odds of guessing correctly (some would argue that we should call this type of attack a dictionary attack, but the distinction isn’t meaningful for this article).

Brute force attacks

Brute force attacks are effective because many users don’t choose secure passwords. If users follow basic guidelines when creating passwords, or, even better, use a password generator, the chances of a bot guessing the right password are tiny. A sufficiently complex password takes centuries to guess.

If you can’t trust users to choose secure passwords, two-factor authentication should be used. TFA plugins like Google Authenticator make it impossible for a brute force attack to succeed even if the right password is guessed.

But brute force attacks can still cause problems for WordPress sites that have secure passwords and use two-factor authentication. Every login attempt consumes server resources and a brute force attacker may try to log in many times a second.

In addition to TFA and secure passwords, it’s a good idea to stop attackers from trying to log in repeatedly, and there are several ways to achieve that goal.

Move The Login Page

Brute force bots are not the most sophisticated pieces of software, and moving the login page to a different URL is often enough to stop them in their tracks. The Move Login plugin does just that, moving the login page to a URL of your choice.

Rate Limit Login Attempts

Unless you are using a password like “12345” or “password”, both of which will be tried immediately, it takes many attempts to successfully guess even a fairly simple password. Limiting the number of login attempts that can be made from an IP will massively decrease the number of guesses that can be made each second.

In addition to many other security features, the WordFence Security plugin allows you to limit the number of login retries and logs suspicious login attempts.

Whitelist IP Addresses

Every machine that tries to login to your WordPress site has an IP address. Rate limiting works by monitoring how many times an IP attempts to log in and blocking it if it is suspicious. It is also possible to block all IPs except those you trust, whitelisting only IPs you want to be able to log in.

For most WordPress sites, this isn’t a good idea because you don’t know in advance which IPs users will connect from. But, if you are in the rare situation of knowing which IPs everyone who uses your site connects from, this technique can be effective.

To whitelist IPs, you will need access to your site’s .htaccess file. If you don’t know what that means, I would advise against using whitelisting — you might end up blocking everyone or creating more security issues than you solve. If you’re confident you know what you are doing, add the following to your site’s .htaccess file.

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
[OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [R=403,L]


Replace the section of text that reads “REPLACE_WITH_IP” with the IP you want to whitelist. There are two whitelisting rules in the example, but you can have as many as you want by adding more copies of that line. These techniques will limit the impact of brute force attacks against your site, but they aren’t a substitute for using long and complex passwords and two-factor authentication.


  1. […] Detection-based anti-malware defenses have been easily breached using polymorphic viruses and fileless malware. Sandboxed detonation has been rendered irrelevant with evasion techniques built-in to off-the-shelf malware kits as standard. Even defenses in highly sensitive government systems that employ deep content inspection to try and detect weaponized business content struggle to deal with sophisticated attacks from cybercriminals. […]


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.