How to Protect WordPress From Brute Force Attacks
The most effective way to protect WordPress from brute force attacks is to combine three measures: limit failed login attempts per IP address, enable two-factor authentication on all admin accounts, and change your login URL from the default /wp-login.php to a custom path. These three changes together block the vast majority of brute force attacks — automated and manual — with minimal impact on legitimate users.
Brute force attacks are the most common type of attack against WordPress sites. Automated bots systematically try thousands of username and password combinations against your wp-login.php page, hoping to guess their way into an administrator account. A typical WordPress site receives hundreds to thousands of brute force login attempts per day — most site owners never notice because the attacks happen silently in the background unless a security plugin is logging them.
If an attacker gains admin access, they can inject malware, steal customer data, deface your site, use your server to send spam, or install backdoors for persistent access. This guide covers every available brute force prevention measure, from essential basics to advanced techniques. For the complete security picture, read our ultimate WordPress security guide.
Step 1: Limit Login Attempts
By default, WordPress allows unlimited login attempts. A bot can try 10,000 password combinations without being slowed or blocked. Limiting login attempts — locking out an IP address after a set number of failed tries — is the most fundamental brute force protection measure.
Most security plugins include login attempt limiting. Wordfence (free) limits login attempts by default — 20 failed attempts trigger a lockout. Limit Login Attempts Reloaded (free, standalone plugin) provides login limiting without a full security suite. Solid Security (formerly iThemes Security) includes configurable lockout policies.
Configure your chosen solution to lock out an IP after 3–5 failed login attempts, set the lockout duration to at least 30 minutes (increasing with repeated lockouts), and optionally notify the admin when lockouts occur (useful for monitoring attack volume, but can generate a lot of emails on heavily targeted sites).
Step 2: Change Your Login URL
WordPress’s default login page is at /wp-login.php — and every automated brute force tool on the internet knows this. By changing your login URL to a custom path (e.g., /my-secret-login), you eliminate the vast majority of automated attacks because bots target the default URL exclusively.
The WPS Hide Login plugin (free, lightweight) handles this with a single setting change. Install it, go to Settings → WPS Hide Login, enter your new login URL, and save. The old /wp-login.php URL will return a 404 error, and your login page will only be accessible at the new URL.
Important: Bookmark your new login URL immediately after changing it. If you forget the custom URL, you can recover access by deactivating the plugin via FTP (rename its folder in /wp-content/plugins/) — this reverts the login URL to the default /wp-login.php.
Changing the login URL is security through obscurity — it does not make your login page more secure, but it dramatically reduces the volume of attacks reaching it. Combined with login attempt limiting and 2FA, it is a highly effective layer. For the full guide, see our article on changing your WordPress login URL.
Step 3: Enable Two-Factor Authentication
Two-factor authentication is the strongest brute force defence. Even if an attacker guesses or obtains a valid password, they cannot log in without the second factor — a time-based code from an authenticator app on the account holder’s phone.
With 2FA enabled, a brute force attack becomes practically impossible. The attacker would need to guess both the password and the current 6-digit TOTP code (which changes every 30 seconds) simultaneously. The mathematical probability is negligibly small.
Enable 2FA on every administrator and editor account. Read our step-by-step 2FA setup guide for complete instructions, including plugin recommendations, authenticator app setup, backup codes, and enforcement for all admin users.
Step 4: Use Strong, Unique Passwords
Brute force attacks work because many WordPress administrators use weak passwords — short, predictable, based on dictionary words, or reused from other services. A strong password makes brute force attacks computationally infeasible even without the other protections listed here.
Every admin account should use a password that is at least 16 characters long, randomly generated (not based on names, dates, or dictionary words), unique to this WordPress site (never reused from another service), and stored in a password manager rather than memorised.
Password managers like 1Password, Bitwarden, or LastPass generate and store strong unique passwords for every account. If you are not using a password manager, start now — it is the single most effective personal security habit you can develop.
Also eliminate the default “admin” username if it exists on your site. Create a new administrator account with a unique username, transfer content ownership, and delete the old “admin” account. Bots always try “admin” as the first username.
Step 5: Add CAPTCHA to Your Login Page
CAPTCHA challenges block automated bots while allowing legitimate human users through. Google reCAPTCHA v3 is the most user-friendly option — it runs invisibly in the background, scoring each login attempt based on behavioural analysis. Only requests that score below the threshold are challenged, so legitimate users rarely see a CAPTCHA challenge at all.
Many security plugins include CAPTCHA integration. Wordfence supports reCAPTCHA. WP 2FA can add CAPTCHA to the login page. Login No Captcha reCAPTCHA is a lightweight standalone plugin that adds Google reCAPTCHA to wp-login.php specifically.
CAPTCHA is particularly effective against distributed brute force attacks — where the attacker uses thousands of different IP addresses, making per-IP login limiting less effective. CAPTCHA blocks bots regardless of their IP address.
Step 6: Install a Web Application Firewall
A web application firewall (WAF) blocks malicious traffic — including brute force attempts — before it reaches your WordPress installation. This is more comprehensive than per-IP login limiting because a WAF can identify brute force patterns across multiple IP addresses, known malicious IP ranges, and behavioural signatures.
Cloudflare’s free tier includes basic bot protection and rate limiting. Wordfence includes an application-level firewall with brute force protection. Sucuri’s cloud-based WAF intercepts brute force traffic at the DNS level — before it even reaches your server, reducing server load. See our firewall plugin comparison and security plugin comparison for detailed recommendations.
Step 7: Disable XML-RPC (If Not Needed)
XML-RPC (xmlrpc.php) is a WordPress API that enables remote publishing, pingbacks, and communication with external applications. It is also a favourite target for brute force attacks — because XML-RPC allows attackers to try multiple username/password combinations in a single request (the system.multicall method), bypassing per-request login limiting.
If you do not use the WordPress mobile app, Jetpack, or other tools that rely on XML-RPC, disable it entirely. You can disable XML-RPC by adding a filter in your theme’s functions.php (add_filter('xmlrpc_enabled', '__return_false');), by blocking access to xmlrpc.php in your .htaccess file, or through your security plugin’s settings (Wordfence and most security plugins include an XML-RPC disable option). Read our guide on disabling XML-RPC.
Step 8: Monitor and Respond
Prevention is the priority, but monitoring is essential for detecting attacks that bypass your defences and for understanding the attack landscape your site faces.
Review security plugin logs regularly. Check blocked login attempts, lockout events, and firewall blocks at least weekly. If you see a sudden spike in attack volume, investigate — it might indicate your site has been discovered by a new botnet or added to an attack target list.
Set up login notification alerts. Configure your security plugin to notify you when a successful login occurs from a new IP address or device. This way, if an attacker does gain access despite your defences, you know immediately rather than discovering the breach days or weeks later.
Check for compromised credentials. Services like HaveIBeenPwned.com let you check whether your email address (and associated passwords) have appeared in known data breaches. If your WordPress admin email has been compromised, change your password immediately — because attackers use credential stuffing (trying leaked passwords from other services against your WordPress login).
Frequently Asked Questions
I see thousands of failed login attempts in my logs. Should I be worried?
Not if your defences are in place. Thousands of daily brute force attempts are normal for any WordPress site on the public internet. As long as login attempts are being limited, 2FA is enabled, and passwords are strong, these attacks will fail. The attacks are automated bots — they are not specifically targeting you, they are scanning millions of WordPress sites simultaneously. Focus on ensuring your defences work, not on reducing the attack volume (which you cannot control).
Can brute force attacks slow down my site?
Yes, in extreme cases. Each brute force login attempt requires WordPress to execute PHP, query the database, and process the authentication check — consuming server resources. On shared hosting with limited resources, a sustained high-volume brute force attack can measurably slow your site. This is one reason DNS-level firewalls (Cloudflare, Sucuri WAF) are valuable — they block brute force traffic before it reaches your server, so your server resources are not consumed by attack processing.
Is changing the login URL enough by itself?
No. Changing the login URL blocks automated bots that target the default /wp-login.php, but it does not protect against targeted attacks where an attacker has discovered your custom URL. It should always be combined with login attempt limiting and 2FA. Think of it as one layer in a multi-layer defence — effective as part of a stack, insufficient on its own.
What about using .htpasswd for additional protection?
Adding HTTP Basic Authentication (.htpasswd) to your wp-login.php adds another credential layer that must be passed before WordPress’s login form is even served. This is effective but can interfere with some WordPress functionality (particularly AJAX login forms and REST API authentication). If you implement it, ensure you test thoroughly and whitelist any endpoints that need unauthenticated access.
Need Expert Help? Let WP Ministry Handle It
Our security service — included in every care plan — implements comprehensive brute force protection as part of your security stack. Login limiting, 2FA setup, firewall configuration, login URL hardening, XML-RPC management, and 24/7 monitoring — all configured by our security team and managed ongoing.
View our care plans → or call (901) 249-0909.
Related Articles
The Ultimate WordPress Security Guide (2026)