How to Protect WordPress site from Brute Force Attacks

Brute Force Attacks, widely known as Brute force is a method, where a program is used to guess your username and password. These attacks are quite simple as they will be performed by bots, which is why they are able to type a lot of combinations of your password and username.

In order to get a successful Brute Force Attack, all it requires is your USERNAME and PASSWORD and the URL of your login page and there would be no limit for the username/password combinations it uses to hack your account.

How to secure your site from Brute Force Attacks

Now, we know what Brute Force Attacks are and should protect our site to be secure so that it will not end up in the wrong hands. Managing many accounts with different user ids and respective passwords has become a mess these days.

In order to avoid Brute Force Attack’s prediction, DO NOT use small names or email related names. Keep your username unique and NEVER use the same username for another site.

If you find it difficult to memorize usernames and passwords the download and install Lastpass password manager free.

Choosing the right Password

People use weak passwords which are easy to predict and hence become vulnerable to hackers. Always choose a 10-15 digit password, which makes the password strong.

There are a lot of tools that can generate passwords for you. I use Norton Identity Safe Password Generator which is free and generates multiple passwords.

How to Protect WordPress site from Brute Force Attacks

Disable XML-RPC

XML-RPC is enabled by default in WordPress. You should disable it to protect your site from DDoS and Brute Force Attacks. XML-RPC is a script that supports WP function to remotely publish posts via email and mobile apps.

Hence, if you do not use email or mobile apps to publish posts, you need to disable it by using Disable XML-RPC plugin. You can also disable it by using .htaccess.

<Files xmlrpc.php>
Order Deny,Allow 
Deny from all

Add this code to .htaccess to disable XML-RPC. If you are using mobile apps or email to publish posts then you need to add this code to .htaccess. Let us assume your IP is 123.456.789.111.

<Files xmlrpc.php> 
Order Deny,Allow 
Deny from all
Allow from 123.456.789.111

                         xmlrpc code

Password protect wp-admin

Generate “.htpasswd” file from Htpasswd Generator and enter your username and password. (Remember the username and password which are given here).

Let us assume that username is x and password is y. Click create .htpasswd file. You will get a password. Copy that password and save it for future reference.

Now Goto Cpanel – file manager – home/your username/. Create .wpadmin file by selecting a new file. Give it a name “.wpadmin”. Go to edit and paste the encrypted text you obtained from .htpasswd and save changes.

Now we have to update the .htaccess file which is in the same directory. Select .htaccess file and edit. Add the following to .htaccess

# wp-admin protection
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user

                         .htaccess code

The username in the above code must be changed to your username of Cpanel. Otherwise, it will not work. Suppose that your username is Hi in Cpanel then you have to change it to “AuthUserFile /home/Hi/.wpadmin”.

Now if you enter login you will see “authentication required” login box. Enter your username and password which are “x” and “y“.

Now the page will show your wordPress login. This is one of the best ways to protect your site from Brute Force Attacks.


Due to Bot attacks, CloudFlare offers DNS filtering for Brute force attacks on their free accounts, all you need to do is to change your name servers in your domain to CDN name servers.

CloudFlare helps speed up the site by caching static content and distributing that content to CloudFlare’s data centers.

CloudFlare usually prevents malicious IPs to visit your site and blocks them automatically. So after registering with CloudFlare, change your domain name servers to CloudFlare and check for firewall options on CloudFlare dashboard and select security level to low or medium.


Google ReCaptcha

CAPTCHA images are used for human verification and Google ReCaptcha helps you verify whether the visitor is human or not. All you need to do is install the plugin and register. You will get site key and secret key to enter the key details.

Enable CAPTCHA in , Registration, and Comments form. This will not only protect you from Brute Force attacks but also eliminates spam comments.

Disable Trackbacks and Pingbacks

Trackbacks and Pingbacks are methods to alert and notify about your website through links coming from another blog or website. The difference between these two is Trackbacks are created manually while Pingbacks are automated.

Trackback and Pingback spam is common these days and may become a serious problem to your site if you allow them. About 99% of Trackbacks and Pingbacks are spam these days and are used to target a website with DDoS attacks. You can disable them in Discussion settings or you can use Antispam Bee.

pingbacks and trackbacks

Plugins which Prevent Brute Force Attacks

Brute force login protection

Brute Force Login Protection is quite simple and effective plug-in which blocks the IPs automatically from hackers after multiple attempts to protect your sites using .htaccess.

Brute force login protection

Manually blocks the IP addresses and select whitelist trusted IPs
Shows number of attempts remained on login page
Will send email to the administrator once the IP is blocked
Delays the execution after a failed login to prevent from killing the site

Download Brute force login protection


 Anti-Malware and Brute-Force Security by ELI

Anti-Malware and Brute-Force Security by ELI are great plugins which remove Threats, Back-Doors and block Malware which exploit the vulnerability in your site. One can opt for a premium version which removes the threats automatically or the free one which requires manual deletion.

Premium version has the option to patch the WP-login to prevent Brute-Force attacks. You can scan plugins, wp-content, public-HTML and can check for threats in your site. Once the scanning is done, the exploits are shown which are present in your website. Either you remove the threats or quarantine the malicious codes that cause damage to your site.

In order to get access to new definition updates of known threats, you need to register the plug-in at GOTMLS.NET.

Brute-Force Security by ELI

Download  Anti-Malware and Brute-Force Security by ELI


Change Your WordPress Login URL using iThemes security

Changing your login URL is quite easy, though many people leave it by default which looks like “”. Bots always try to find the login page and predict the combinations of user IDs and passwords.

If you could hide or change your login page so that you could only access it, then the Brute Force Attacks are less possible. To change or hide your login URL from bots, install iThemes security plug-in which is freely available. This plug-in was formerly known as Better WP Security and can fix a lot of loopholes in WordPress. Once you have activated this plug-in, go to iThemes Settings and choose Hide login area.

“Hide the login page (wp-login.php, wp-admin, admin and login) by making it harder to be found by automated attacks and by making it easier for users unfamiliar with the WordPress platform”.

Change the login slug to your custom name. Select the custom name in such a way that it could be remembered easily. Make sure that you DO NOT use any Special characters such as “.” and “/” which are converted to underscore (_) and dash (-) automatically.

Enable Theme Compatibility and make it as the default one. Now save your Settings. You will be logged off automatically and can see that the URL of your page is changed to the custom URL. Remember that from now on, this is the URL to login to your WordPress site.

If you try to access the default login page, it will show 404 error. This is one of the easiest ways to prevent Brute Force Attacks.

hide backend

Limit the login attempts using iThemes security

Select iThemes security plug-in, go to Settings and choose Brute Force Protection. Enable local Brute Force Protection and iThemes Brute Force Network Protection. Enter your email ID on Get your iThemes Brute Force Protection API Key and leave all other settings as default. If you want, you can customize the settings. Now API key will be emailed and activated automatically for your site.

brute force protection


Which is the best solution to protect from Brute Force Attacks? It really depends on your choice. If you are new to WordPress, then I would recommend you to use iThemes Security and CloudFlare to protect your site from Brute force attacks.