How To Protect Your WordPress Website From Brute Force Attacks

Kumar Gauraw

Brute Force Attacks on WordPress Websites have caused a lot of pain to webmasters and web hosting companies in recent weeks. If you’re using WordPress to power your website, you may be vulnerable to a new web-based attack that aims to hack your admin password.

Protect Your WordPress Websites From Brute Force Attacks

The good news is you can do something about it. You can tighten your WordPress security to counter these attacks. But first, let’s understand these attacks a little better.

What Are Brute Force Attacks?

Brute Force Attacks are targeted to hack your WordPress Admin Dashboard.  These attacks specifically target your WordPress website’s wp-login.php from a large number of IP addresses spread geographically around the world.

The scale of these attacks is massive. Just imagine that a large botnet army of around 90,000 compromised servers are continuously attempting to guess your username and password and get into your WordPress Admin Dashboard.

These attacks hammer the wp-login.php file on your website over and over until they get in or the web server dies. If you are using “admin” or “administrator” to login to your dashboard, you should know that you are at risk!

According to

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin.'

Steps To Protect Your WordPress Websites

Your web hosting company is already doing everything it can to protect your websites from these attacks. In addition, there are a few things you can do to ensure your particular website is safe and sound.

Here are steps you can follow to improve your security for your WordPress website:

1. Get Rid Of The Default Accounts

Do not keep default WordPress Admin user account active which is usually “admin” or “administrator”. Hackers are using default account names to begin the attacks. Create a user ID that is hard to guess.

2. Use Strong Passwords

These botnets have been using common passwords like “123456”, “qwerty123” etc. to break into your WordPress dashboard. It is important that you create a password that is hard to guess. To create such a password, you may want to follow these guidelines:

  • Use at least 8 characters total. The more, the better.
  • Use a mixture of upper and lower-case letters
  • Mix Numbers, punctuation or other non-alphanumeric characters

3. Lock Down Your WordPress Admin Through .HTACCESS

Caution! Before following this step, make sure you know what you are doing. If you do this step wrong, it can break your website. Now here is what you can do:

Edit your .HTACCESS file to lock down access to your WP-ADMIN screen. The .HTACCESS file is usually located in your website’s home directory on the web server. You edit the file using your cPanel or you use FTP to transfer a copy of the file to your local machine and then use a text editor to edit the content. After the following action has been completed, the modified file is used to replace the original file. Now, you need to add following lines to the beginning of the .HTACCESS file:

[note background=”#FFFF85″]<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)?YourDomain\.com [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F] </IfModule>

Important: Please make sure you replace YourDomain with your actual domain name. If you domain is not a .com, then replace .com the above code with your domain’s extension.

The .HTACCESS rules ensure that the requests coming from your domain are only to be entertained. Every other request will be rejected.

4. Implement CloudFlare To Get DNS Level Protection

Usually CloudFlare offers DNS level filtering only to its paid customers. Due to the large scale of this botnet attack, CloudFlare has rolled out DNS level filtering to all of their free accounts as well. This is an awesome step by CloudFlare and I really appreciate being on CloudFlare for this reason.

CloudFlare is a system that I have highly recommended from the time when nobody was talking about these brute force attacks. It is simply awesome because of the level of security and speed it provides to your websites.

Congratulations if you are on CloudFlare already. If you are not yet using CloudFlare, check out these posts to find out how you can use it and how you will benefit from it:


5. Keep WordPress And Your Plug-ins Up-To-Date

This is should be an important daily maintenance task whether or not a threat exists. Keeping your website up-to-date with the latest versions of WordPress and all plugins is critical to maintaining the integrity of your website.

I login to my WordPress admin and check to see if there are any available updates every day. As soon as I find a new update, I check the details, take a backup of my website and apply the update.

6. Take Regular Backups Of Your WordPress Website

Speaking of backups, I wrote extensively about the importance of making regular backups of your WordPress websites. If you missed the posts, here are the links for your reference:

If you have not secured your website yet, this should be your opportunity to strengthen your security protection. These steps will significantly reduce opportunities for hackers to be able to take over your WordPress website.

Your Turn To Share

How are you preparing to protect your website from these brute force attacks? Is there any additional measure that you want to suggest? Please share your thoughts in the comments by clicking here. Thank you kindly!

Kumar Gauraw

Posts Twitter Facebook

Kumar Gauraw is a Personal Branding & Social Media strategist helping entrepreneurs and skilled professionals achieve personal and professional success by developing leadership and leveraging the power of the Internet, Blogging and Social Media.

14 Awesome Thoughts So Far, Add Yours Now...

  1. Kumar,

    Thank you so much!

    You have added tremendous value in providing the HT ACCESS
    code. I will implement it immediately.

    Overall, a very informative article 🙂

    Kind Regards,

    • Thank you Bill. I am glad you are now ALL SET!

    • I agree with Bill it added a lot value on this!!! Even I will be implementing the same at the earliest.

      • It is important to get this protection up because if nothing else, at least you have peace of mind.

        • That’s true!!! peace of mind is equally important 🙂

  2. All are excellent tips especially, just keeps your WordpPress and plugins updated. And make sure your directories are not write-able.

    Personally, I would like to suggest Codeguard, it’s an ultimate services that guards your website code and if anything changes on the code side, you’ll be notified and in case of your website has been hacked then you can also easily recover site from their backup service without even worrying about any data loss.

  3. You’ve mentioned almost everything, and I’m sure they will help preventing the attacks.
    Though there’s one more way I’m aware of, and that is protecting wp-admin folder using password. It’s really effective, you should try!

    • That is a great point Kalpit. I didn’t write about that because of the focus on Brute Force attacks. But protecting wp-admin is definitley very very important. Thank you!

  4. Great Post lots of great info.
    I tried Cloudflare and I was getting Bots from Cloudflares Ips Coming off their network. I had to drop Cloudflare and block those IPs Brute Forcing my sites

    • Well, Not sure why it happened to you. But Cloudflare has always protected my websites and I never have been attacked or heard from anybody that they faced brute force attack from Cloudflarw IPs. That is definitely weird.

      • Just wanted to follow up on cloudflare. We are now a Cloudflare Partner and have figured out the problem I mentioned above. I did not have Mod_Cloudflare installed on the server so the ips looked like they were coming from cloudflare when they were but the client ips were not being reported. its all fixed now thank You again for a great tutorial

        • Thank you for the update Mitch. Wow! I did’t realize that not hving Mod_Cloudflare could cause that issue. This is great finding. Thank you for coming back and sharing with us.

          Good luck to you!


  5. JD

    I have a little doubt for “Keep WordPress And Your Plug-ins Up-To-Date”. As after updating one of my plugin, It crashed my whole website with error in some php code. After lots of googling I have removed plugin by cpanel and then it works fine. So i prefer to NOT update my plugins at all. Please advise.

    • JD,

      Not all plugins are to be trusted. You should check their number of downloads and reviews before starting to use them. The plugin that broke your site, must have been one of those plugins that do not get properly tested and most probably you fell victim of such a plugin.

      Only use well rated plugins and then keep them updated. Not updating them puts your site at risk in many cases.


Please Note: My goal is to host interesting conversations with caring, honest, and respectful people. Therefore, I reserve the right to delete comments that are snarky, offensive, or off-topic.