What's WP
Find Everything Related to WordPress - Best Tutoriasl on WordPress!
How to Protect WordPress Against Brute Force Attack?

How to Protect WordPress Against Brute Force Attack?

Brute-force attack refers to a forcible way against encryption algorithm, which keeps trying all combinations of a password and won’t give up until dope out your website login information. It works with perseverance and has become a big threat to have a website under attacking. Since you have no idea working for such situation, follow this guide and protect your website from being hacked with another way.

Make Your Password as Strong as Possible

Strengthen PasswordBrute-force attacker spends time guessing encrypted login information and that depends on the complexity of your username and password. As for a long password with an intricate combination of letters, symbols, numbers or something else, it would takes attackers a few years to crack. As thus, forcing a strong password is a great method in that case.

The password should be complicated and long enough to the extent that no one can guess it within a short time. However, it is not a smart move to hold a password in the long run. Change the password frequently and leave no room for the brute-force attack.

By the way, adding CAPTCHA to login form should be in consideration, which requires each login attempt to type the given CAPTCHA manually. That protects your website from attacking by bots in an effect way. Perhaps, if you consider the permission of unlimited login tries as an inducement of brute-force attack, go and limit login attempts for your site.

Prevent Attacking with a WordPress Plugin

No matter how your password hard to break, brute-force attackers stand a chance to figure it out. You might as well make use of a WordPress plugin for a dual protection against brute-force attacks. The selected one in this guide is Brute Force Login Protection, which protects your website from this great threat by means of .htaccess.

Search and install this plugin via WP-admin. Upon activation, a new item “Brute Force Login Protection” appears under Settings.

Install Brute FOrce Login Protection Plugin

Go to Settings > Brute Force Login Protection and here you come to the plugin settings page. The Status mode explains whether your website is under protection. The green check marks before all criteria indicate that the brute force login protection is in progress.

Protection Status

This plugin allows you to limit login attempts by modifying settings via .htaccess file. Before everything, ensure that the .htaccess location shown in the bottom of this mode is correct. Make a decision how many login attempts are allowed at one time and how long it will take to reset the next login attempts count. The counts in minutes are available here.

And then, set a delay for each failed login attempt so as to put off the brute force attack. Type a message as an explanation for blocked users or leave the default one. If there is a need to receive the latest information of blocked IPs, enable the mailing function for that purpose.

Login Attempt Options

You can simply type an IP address in the Blocked IPs box and manually block it in an easy manner. Block as many IPs as you want, especially for someone launching a brute-force attack. The included IPs can no longer log into your website.

The Whitelisted IPs box is where to enable priority for the credible IPs and allow them to log into your website unconditionally. Don’t abuse this function unless you have a grasp of the selected IPs. Finally, remember to whitelist your current IP.

Some other plugins can be taken into consideration for the same purpose, like Security-protection, BruteProtection, Anti-Malware & Brute-Force Security by ELI, Botnet Attack Blocker, and so on. Select a suitable one from those recommendations if the above-mentioned idea cannot make a difference.

Lock out Accounts

Lock out AccountsAdding an account lockout is an option that prevents automated scripts from testing other possible passwords for certain accounts. By performing this feature, users who fail the login for certain times are completely locked out and can only go valid when an administrator unlocks them.

This way is efficient sometimes, especially when the attacks are too serious, but it is not among the most appropriate methods because it may fail in many cases.

Use Vague Error Messages

Sometimes, the error messages may help attackers find the valid usernames and passwords. Supposed that an error message says “invalid username” or “wrong password”, the attacker will rule out many possible login combinations quickly without trying endlessly. Therefore, you should use a consistent error message that only reminds the user that there is something wrong with the login information. No any further information is included.

Inject Pauses in Password Checking

Enforcing pauses between the attempts of trying different passwords for the same username can slow down brute force attacks effectively. You can set the interval to be 30 seconds or even longer. This does not bother the real users of your website, but it indeed prevents attackers to break into your site in a short time.

Use a CAPTCHA for Authentication

Use a CAPTCHAA CAPTCHA is a program widely used to distinguish computers and human beings so as to stop automated requests. When you add a CAPTCHA on your login page, real people can easily pass the test but computers will fail in most cases.

For better prevention and mitigation of brute force attacks, you can even create a completely new page with a CAPTCHA and a “leave a message” box, and enforce all users to complete the page before accessing the admin area.

When adding a CAPTCHA, choose one that requires people to type words instead of making a choice between 2 or 3 buttons. Combining the possibility of guessing the right username and password and that for getting the right CAPTCHA, even a simple CAPTCHA can protect your website effectively.

Prompt Secret Questions for Failed Logins

To improve the security of users’ accounts, you can also require all users to choose some questions and set answers that are known by nobody else. When there is one or two login attempts failing for a certain user, ask for not only the username and password, but also the answer for a secret question for valid authentication.

If you have detected a high volume of attacks, then you can require all users to answer a secret question when they log in no matter whether there is any login failure for their accounts. Doing so keeps automated attacks away from accessing your website.

Lock Down or Limit IP Addresses

Lock Down or Limit IP AddressesIf you have root access to the server that your website is on, you can block the IP addresses of the well-known spammers and those regions where many brute force attacks originate from. There are many reliable lists of IP addresses on the Internet available to download.

For a higher level of security, you can even allow certain IP addresses to access the login or admin area of your website in the case that the site is managed by a certain group of people.

It is unnecessary to try all the methods discussed above on a website, but you should combine several of them together to safeguard the login part. Besides, strong username and password is a must that you shall never forget to prompt on your website.


Lucy has been a very experienced SEOer, technical writer, web developer, c# developer since 2002. Now she owns a startup in San Francisco, CA, focusing on running a couple of blogs to share knowledge and experience with global readers and deliver exceptional results to global sponsors by leveraging the power of Internet.