How To Prevent Brute Force Attack On WordPress.


HA ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again.  It is a hacking method which utilizes trial and error techniques to break into a website, a network or a computer system.

A successful brute force attack can give hackers access to your website’ admin page. They can steal user information, create a secret means of access your site, malware, and delete everything on your site.

An unsuccessful brute force attacks can cause destruction of website by sending too many requests which slows down your WordPress hosting servers and may crash them. .

How To Keep Your WordPress Sites Saved?

You can protect your WordPress by doing the following;


Backups are the most important tool in your WordPress security store. If at all other methods fail, then backups will allow you to easily restore your website back. .

Many WordPress hosting companies offer limited backup options. However, these backups ain’t guaranteed, and you are solely responsible for making your own backups.

There are several great WordPress backup plugins, which allow you to schedule automatic backups.

I recommend using UpdraftPlus. It is beginner friendly and allows you to quickly setup automatic backups and store them on cloud like Amazon S3, Google Drive, Dropbox, and more.M

Using WordPress Plugin Called Brute Force Login Protection

Brute Force Login Protection plugin is a WordPress plugin which protects brute force login attempts by taking several factors into account.

This is how the plugin works:

  1.  It delays execution after a failed login attempt to slow down the brute force attack. This can prevent the site being killed.

      2. It also informs the users about the number of login attempts remaining before getting blocked

3. Limits the number of allowed login attempts for an IP Address.

4. It allows you to manually block an IP address from logging into WordPress.

 Sett-up page of the  WordPress Brute Force Plugin looks:



CloudFlare protects and sppeds up your website online. Once your website is a part of CloudFlare, its web traffic is routed through their intelligent global network. Its automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance.

It also can prevent brute force attacks on a website. Its has free and premium plans. With the free plan you can get a decent amount of brute force protection. All other methods were making our web server do the work to prevent brute force attack, which as we’ve mentioned, can still consumes memory and CPU. But CloudFlare on the other hand, can prevent malicious requests, before they even hit your server.

This image below shows how CloudFlare stops malicious requests:

Disable PHP File Execution in Specific WordPress Folders

Hackers may want to install and execute a PHP script in your WordPress folders. WordPress is written mainly in PHP, which means you cannot disable that in all WordPress folders.

However, there are some folders that don’t need any PHP scripts. For example, your WordPress uploads folder located at /wp-content/uploads.

You can safely disable PHP execution in the uploads folder where hackers commonly use to hide backdoor files.

First, you need to open a text editor like Notepad on your computer and paste the following code:

1 2 3 <Files *.php> deny from all </Files>

Now, save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

Step 3. Protect WordPress Admin Directory

Most brute force attacks on a WordPress site are trying to get access to the WordPress admin area. You can add password protection on your WordPress admin directory on a server level. This would block unauthorized access to your WordPress admin area.

Simply login to your WordPress hosting control panel (cPanel) and click on the ‘Directory Privacy’ icon under Files section.

Next, locate the wp-admin folder and click on the folder name.

cPanel will now ask you to provide a name for the restricted folder, username, and password. After entering this information click on the save button to store your settings.

Your WordPress admin directory is now password protected. You will see a new login prompt when you visit your WordPress admin area.

If you run into a 404 error or error too many redirects message, then you need to add the following line to your WordPress .htaccess file.

1 ErrorDocument 401 default

Install WordPress Updates

Some of the brute force attacks actively target known vulnerabilities in older versions of WordPress, plugins, or themes.

Both WordPress core and most popular WordPress plugins are open source and vulnerabilities are often fixed very quickly with an update. However, if you fail to install updates, then you leave your website vulnerable to those old threats which may gives access for brute attack

To updats your wordpress, simply log in to your wordpress admin page, go to Dashboard  select  Updates to check for available updates. This page will show all updates for your WordPress core, plugins, and themes.

You can also check 5 Best Security WordPress Plugins.


Please enter your comment!
Please enter your name here