How to protect your WordPress website from brute force attacks

Lock Icon: WordPress
3d illustration of a large brass padlock on a reflective surface with a silver WordPress logo standing in front of it

WordPress is one of the most popular Content Management Systems (CMS). WordPress has great features & functionality and it’s easy to use. The ability to integrate a multitude of free and paid plugins and themes is a great plus, but it also brings the possibility of vulnerabilities. If you use WordPress, you should always have a very good protection for your websites.

Hackers & spammers like to test any vulnerability they can find in WordPress or in any WordPress plugins or themes. Be always informed about the current issues and act immediately.

We assume that you already use a strong password for your admin user and you don’t use “admin” as the administrator username (as this is one of the first a hacker will try)

Here are some steps you can follow to stay on top of WordPress possible issues or brute force attacks.

1. Keep your website updated!

a) Keep WordPress core updated.

WordPress introduced automatic background updates for it’s core code since version 3.7. By default, all minor WordPress updates are automatically loaded to your website. You can decide to manually run the major updates. Once WordPress finds out about security issues, they are fast to implement the protection and make it available to all customers.

b) Keep WordPress plugins & themes updated

If you manage multiple WordPress websites, use a multi-site management plugin to monitor your website(s) plugins and themes and keep all of them updated. Some examples are: Jetpack or Infinite WP.

c) Stay informed

Subscribe to WordPress security related newsletters like Sucuri Website Security News.  This newsletter will let you know when new vulnerabilities are found and it will suggest ways to get your website(s) protected.

2. Protect your Wordpress management area

a) Protect your website from automated programs

Just a few lines added to your .htaccess file will go a long way in protection your website. As many of these attacks are performed using automated programs, there is a way to tell if one of these is accessing your website. Especially they will attack your login page, your comments page, your admin area or your remotely posting area (xmlrmp). Change with your own domain name. If you’re using a subdomain, change with .

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login|xmlrpc)\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

b) Allow access to login area only to editor(s). 

If you are the only one editing your website or if you have a small number of editors, you can limit the access to WordPress login page by adding these lines in .htaccess . Replace below with your own IP address.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111$
RewriteRule ^(.*)$ – [R=403,L]

3. Use WordPress protection plugins

There are some plugins you can use to stop or slow down a brute force attack. Here are some examples:

Login Security Solution – Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.

Limit Login Attempts – Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

Jetpack Security Features – Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site.

iThemes Security (formerly Better WP Security) (formerly Better WP Security) – The easiest, most effective way to secure WordPress in seconds.


There are also more complex protection methods involving the use of a Firewall (Example: CSF) and Mod Security, but these are outside the scope of this article.

Good luck and keep your WordPress website protected at all times!

Image Source: