7 Simple Ways to Secure Your WordPress Website from Brute Force Attacks

7 Simple Ways to Secure Your WordPress Website from Brute Force Attacks

A brute force attack is one of the most basic types of cyber attacks which aims at gaining access to websites and applications by repeated trial-and-error and guessing of login credentials.

The attackers typically employ automation software which sends a large number of requests to the target system. With each request, the software tries to guess the information needed to break in, like username and password.

By using different IP addresses, such malicious tools can also disguise themselves. This makes it tricky for the victim system to recognize and block these spiteful activities.

Once the hackers break in, they have access to your WordPress website’s admin area, empowering them to install malware, steal sensitive information, and destroy your work.

What’s more, even unsuccessful brute force attacks can take a heavy toll on your website’s performance by sending too many server requests. This, in turn, will slow down your WordPress hosting servers and possibly even crash them.

Now, it won’t exactly be an overstatement to say that WordPress pretty much runs the internet. This robust content management system (CMS) powers a whopping 32.3% of all websites on the internet. An unfortunate side effect of this popularity is that it is the most frequent target of brute force attacks and other vulnerabilities.

Luckily, you don’t have to be a software sorcerer to be able to protect your virtual property from these pesky invaders. Here are seven ways to secure your WordPress website from brute force attacks, starting with the most obvious and easy ones.

1. Never Use ‘admin’ as Username:

This shouldn’t need a mention. But as this is still a fairly common practice among newbie webmasters, it is indeed worth a mention.

You see, for both humans and bots trying to infiltrate your website, ‘admin’ would most likely be the first guess at your username.

So, when installing WordPress, choose any username you like except ‘admin’.

According to the folks at WordPress, “If you are still using this username, make a new account, transfer all the posts to that account, and change ‘admin’ to a subscriber (or delete it entirely).”

It doesn’t really matter what you change it to as long as it isn’t ‘admin’. And even though the Profile section clearly states “Usernames cannot be changed”, they can be.

It’s simple. Being WordPress, there is a plugin for literally everything.

To change usernames, install Username Changer, a well-acclaimed and easy-to-use plugin. After installing and activating, the above screen would change to as shown below. Easy-peasy.

2. Use Strong Password:

Again, as blindingly obvious as it gets, don’t use “123456”, “qwerty”, or “password” as your password. Such passwords are convenient for you to remember, and likewise, easy to guess for hackers.

Ideally, you should use a combination of uppercase, lowercase, numeric, and special characters to form a long and strong password. Moreover, It’s important that you use strong passwords for not just your WordPress user accounts but also for FTP, web hosting control panel, and your WordPress database.

Consider using a password generator to do the hard work for you. When allowing multiple users to register on your website, install a plugin like Force Strong Passwords to ensure all users are secure.

3. Always Stay Up-To-Date:

A good deal of brute force attacks target vulnerabilities known to be present in older versions of WordPress, popular plugins, or themes.

As most of the renowned plugins (and the WordPress core itself) are open source, the vulnerabilities are often detected and fixed very quickly. However, if you tend to overlook pending updates more often than not. Then your website still remains vulnerable to those old hazards.

Staying updated is the easiest thing you can do to secure your WordPress website, so why not? Just go to Dashboard >> Updates to keep up to date with the latest updates for WordPress core, plugins, and themes.

4. Setup Firewall:

As mentioned earlier. Failed brute force attacks can also harm your website by slowing it down or even crashing your hosting server.

To prevent this, you need to setup a firewall for your WordPress website. Essentially, firewall filters and blocks bad traffic from your website. Specifically, you need a DNS level website firewall that routes your website traffic through its cloud proxy servers.

Get the premium version of Sucuri Security to leave nothing to chance. It is one of the best firewall (and overall security) plugins for WordPress.

Alternatively, you can secure your WordPress website with a server-level firewall without using a plugin, too.

5. Enable Two-factor Authentication:

As an added layer of security, you can (and should) opt for two-factor authentication (2FA) for your WordPress website.

Basically, 2FA is a small extra step to be taken by you during login that requires you to prove that it’s indeed you trying to log in and not a hacker. For this, a unique code or a unique link will be sent to you (and you alone) via text or email, which you’ll have to enter (or click) in order to confirm your access.

You must be familiar with this process if you’ve ever used banking applications.

Anyway, this is a very effective line of defense against brute force attacks. Plus, it is very easy to set up by using free plugins like Google Authenticator and UNLOQ

6. Limit Login Attempts:

By default, the attackers have infinite tries to penetrate your turnstile as WordPress has no limit to the number of login attempts. So they won’t ever get locked out and can keep trying until they hit the jackpot.

And that’s why brute force attacks tend to be so efficacious with WordPress websites in particular.

The solution to this is pretty straightforward: limit the number of login attempts. The most popular way to do this is to install a plugin called Limit Login Attempts Reloaded. It blocks an IP address from making further attempts after a specified limit on retries has been reached, rendering a brute force attack ineffective.

7. Backup:

Admittedly, you must be tired of hearing this advice, and probably let out a huge dismissive yawn when you read the subtitle.

But get this: losing your website due to lazy backup habits can be your worst nightmare as a webmaster. Imagine years of blood, sweat, and tears to establish an online presence gone in the blink of an eye.

Fortunately, WordPress’s enormous repository of 54,632 plugins comes to the rescue yet again. Take some time to create a backup of your WordPress website with the help of great backup plugins like UpdraftPlusBackWPupDuplicator.


Brute force attacks are on the rise and WordPress websites are a prime target. Putting these seven easy tactics on how to secure your WordPress website into practice won’t take much time and will surely boost your website’s security to a nearly impenetrable level.

Fancy you stumbling on my piece of the internet. Bonjour!

My name is Anmol and I'm the Blogger-In-Chief of this joint & working as the Chief Technology Officer at Azoora, Inc. I'm putting up my views here trying to help creative solopreneurs, developers & designers build their business using the power of websites, apps & social media, this, is, my jam.

If you're looking to start your own online business with a professional high quality website or mobile app, just get in touch. I'd be more than happy to assist.


Leave a Comment

Your email address will not be published. Required fields are marked *