Brute Force Attacks on WordPress – Tips & Plugins

I thought the widely covered brute force attacks on WordPress sites were worth discussing in case any users aren’t aware of the this hot topic.

What are Brute Force Attacks?

Unlike hacks, brute force attacks take the easier approach of consistently trying to guess your username and password. Unfortunately, this works since not all site owners have the strongest credentials, especially those who still use the dreaded default ‘admin‘ username. Since brute force attacks don’t halt after a single failed attempt, they can take a devastating toll on your server memory causing performance issues.

How can you prevent brute force attacks?

To prevent these attacks on your WordPress site, follow these precautionary steps:

  1. Do NOT use the ‘admin‘ username. Create a new user with Administrator rights. Log out and log back into WordPress as the new Adminstrator, and delete the user ‘admin‘.
  2. Set a strong password with numbers, characters, and upper and lower case letters. Unfortunately, we occasionally see site owners with passwords that either match their domain, or are simple number strings such as 123456.
  3. Protect your site using plugins. These are 3 plugins that I highly recommend – use the one (or two) that meet your needs:
  • Limit Login Attempts – does what the name says.
  • Google Authenticator – allows two-factor authentication to login to your WordPress site. For some, this may seem like overkill, but you can never be too safe.
  • WordFence – a robust security plugin with built-in firewall, virus scanning, and a premium version to block specific countries.

Better Safe Than Sorry

Now that you’re informed, spend a few minutes to protect that awesome site. While you’re at it, take out the trash, spam, and erroneous users. Any questions or comments related to these brute force attacks, just ping us in the comments below.

17 Responses to "Brute Force Attacks on WordPress – Tips & Plugins"

  1. Glenn   April 19, 2013 at 12:52 PM

    Hi Charlie, Ive seen a lot written about the recent brute force attempts by a bot net. However everything Ive read discusses how to protect yourself from the attack. Can you advise on what the attack actually is ? If they get in what do they do ? how do I know if they got in or not and what action to take if they did get in ?

  2. Bartek   April 22, 2013 at 12:20 PM

    Yeah , here in Poland my site (arts and culture theme based) nwas atacked my hosting catalogues were blocked (18.04).
    I am not able to write new articles.
    My login was not ”admin”
    And password had more then 10 characters (numbers and leatters).
    But yeah, no security plugins installed.
    Should Install new wordpress and updated theme now?

    • Mehmet Ozek   April 23, 2013 at 12:54 AM

      What was the results of attacks Bartek. Have they been able to access your files and edit any of them or blocked hosting by sending a lot of requests?

  3. Bartek   April 23, 2013 at 7:27 AM

    The hosting company blocked 2 catalogues :


    They also said that the script was sending enormous amount of spam from my adress:

    Now it is impossible to write any articles, sometimes on slider You can only see php code instead of pictures, there are problems after loging onto site. The site is a bit unstable

  4. Roy   April 27, 2013 at 5:57 AM

    1) About the problem of accessing wp-includes, maybe creating a file called .htaccess on the folder with:
    #v The below v

    Order deny,allow
    Deny from all

    Allow from all

    #^ The above ^

    So that only this type of files are accessed by the users.

    2) To protect against password recovery to the e-mail (the e-mail can be sometimes be illegally accessed) I would suggest you edit file wp-login.php …

    $allow = apply_filters(‘allow_password_reset’, true, $user_data->ID);

    Change it to:
    $allow = apply_filters(‘allow_password_reset’, false, $user_data->ID);

    And find:
    if ( !in_array( $action, array( ‘postpass’, ‘logout’, ‘lostpassword’, ‘retrievepassword’, ‘resetpass’, ‘rp’, ‘register’, ‘login’ ), true ) && false === has_filter( ‘login_form_’ . $action ) )

    And changed to:
    if ( !in_array( $action, array( ‘postpass’, ‘logout’, ‘login’ ), true ) && false === has_filter( ‘login_form_’ . $action ) )

    ( If some day you really need to recover a password, you can reverse the code… or follow the advice here: ).

    3a) To prevent brute force is relatively easy, free, and very very secure!
    Just go to: download it, activate it, and follow the simple instructions… make sure you read it twice!!… I first had problems because I didn’t read the instructions correctly (jumped some steps) and I was thinking the plug-in wasn’t working, when it was!
    Advantages of this plug-in:
    – Always reports a password error, either you input the correct password or not… as long you are not introducing the correct second factor authentication password;
    – Every single of the several present Card passwords can only be used once (but until someone use the correct one, it will stay valid… so your card can’t just go out of use because people is just trying all day long);
    – Can have between 2 and 16 characters long… easy or extremely difficult… you choose!
    – No send to e-mail, sms/ phone call… so no man-in-the-middle easy attack;
    – If you think the password card as been compromise (or just is ending), just go to the account, create a new secret, save the changes, copy the new Sequence Key to the GRC web site (make sure the Passcode length is correct) and you are set with new passwords.
    – If you loose the password card, you just need to know the Sequence Key and the Passcode length and you can create again the password card… so make sure you have both for example in a secure safe.

    3b) To prevent brute force on the login page you can also create a .htaccess in the main folder of the wordpress blog/web site with the following:

    Order Deny,Allow
    Deny from all
    Allow from xx.xx.xx.xx

    Where xx.xx.xx.xx is your IP like
    If you have dynamic ip’s search on-line for your operator main IP’s and you can for example use a more “wild” specification like:
    Allow from 100.021
    Allow from 100.022
    Allow from 100.023.022

    in this case includes for example,, can access… not so much secure like just the full IP, but at least other people/ machines from other networks won’t be able to access it!

    You can also protect the access to the wp-admin with this same technique… just create a new .htaccess with:

    deny from all

    order deny,allow
    Allow from 100.021
    Allow from 100.022
    Allow from 100.023.022
    deny from all

    And put this file in the wp-admin folder.

  5. Roy   April 27, 2013 at 6:02 AM

    Unfortunately my previous comment was filtered and many of the essential tips (what needs to be done) have been wiped, so I post this on-line here:

  6. Lorenzo   May 6, 2013 at 2:54 AM

    I also use Limit Login Attempts on my WP installation.

    For creating strong passwords, consider a password manager like 1Password or LastPass.

  7. Brice Lucas   June 25, 2013 at 1:57 AM

    Great article. I learned about the recent botnet being built out of wordpress sites using brute force attacks over on Ars Technica. Your posting is useful, but I wanted to add that not only is “admin” being targeted… so is “administrator”, “ADMIN”, etc, etc.

    Regardless, properly configuring your server and using great plugins like Limit Login Attempts will cover you.

    Thanks for the post!

  8. Fred   July 1, 2013 at 3:02 PM

    Our site was hacked by a brute force method and they inserted Black Hat SEO spam links into the code. Any idea on how to remove it? I looked in the header, page, and even most of the php files but couldn’t find it.

    It inserts it after the header and before the body, so any suggestions on how to remove it are appreciated. It’s not showing up in the posts, but can be seen in the source code and is also picked up by Google search bots. Thanks

  9. Jeff   July 8, 2013 at 11:21 PM

    Why use limit logins plugin AND wordfrence plugin. Wordfence has limit login attempts features.

    Without deactivating the wordfence options that compete with the limit login options, these suggestions are bogus.

    • Mehmet Ozek   July 9, 2013 at 6:53 AM

      WordPress would allow you to enter as many username and passwords with no delay between each attempts. That is dangerous. Limit Login itself does the trick here and doesn’t allow continuous login attempts; which also avoids brutal force attacks.

  10. Dr. Shefali Dandekar   August 13, 2013 at 8:55 PM

    my website does not contain any malware buy google chrome / firefox always shows warning 🙁

  11. Pingback: Stop Brute Force Attacks on WordPress - TruWeb Host

  12. استخدام   October 1, 2014 at 1:57 AM

    Add this one
    4.Change login url. you can iThemes Security plugin to avoid brute force attacks 🙂

    • سئو در عمل   December 2, 2015 at 1:12 PM

      Thanks for great advice
      I’m using iThemes Security for 2 years! nice plugin

  13. fahadrafiqgt   February 23, 2015 at 11:27 AM

    Password crackers are using automated scripts to target websites to hack the passwords and Brute Force Attacks have become a common thing, but many don’t know the concept behind it and how these attacks are so successful at cracking the passwords of the websites.

    The easiest method to block such attacks is by blacklisting the IPs that carry out such abuses, many hosting providers have added Brute Force Attacks protection in their added security features.

    For more information about these attacks read:

    • Yanko Georgiev   February 28, 2015 at 6:24 AM

      Hi fahadrafiqgt,thank you for the helpful info


Leave a Reply

Your email address will not be published.