By Jason Chow

Whether you run a WordPress site that is the backbone of your business or a personal blog that lets people know about your favorite low-fat recipes, it would be a shame to lose it due to the nefarious actions some hacker.

According to Sucuri, who tracks this data, WordPress is the most common CMS infected by attacks, which increased from 74% in Q3 2016 to 83% in 2017. Even if one of these attacks isn’t successful, just the attempt can slow down your website hosting.

What is Brute Force Attacks?

Brute force attacks are what they sound like – either a bot or human directly attacks your WordPress site by trying to log in repeatedly with a series of guessed credentials. When it’s a bot, there can be thousands of attempts to your login page per minute!

A brute force attack can take your website down, break your online store, steal user data, and even destroy it completely if you don’t have a backup. These disruptions are not only annoying, but they can also be costly if your site is a source of revenue.

Since brute force attacks have become so common, we recommend that you take action quickly to protect your WordPress. Here are some best practices as well as options that apply to your server to secure your WordPress site from attacks.

Don’t Use “Admin” as a Username

Prior to WordPress version 3.0, the CMS was installed with the default username “admin.” It was then up to the site owner to change it later if they wished. New installs make it possible to change the “admin” username at installation, but many people still leave it at the default. This is a huge mistake.

One of the largest vulnerabilities to a brute force attack is the fact that hackers already have half of the equation solved – your username. You can take this away by changing your username as quickly as possible. Not only do you want a unique username, but also one that is unpredictable with a combination of words, numbers, and characters.

Harden Your Password

While we are toughening up your WordPress username, it’s time to do the same for your password. Using a strong password for your WordPress site is essential because failure to do is going to make you vulnerable to attacks from terrible people.

To change your WordPress password, login, go to Users > Your Profile, and scroll down until you see New Password. When you create a password, it should be as strong as possible, which means it will include some or all of these elements:

  • Have at least 8 characters
  • Not be predictable, or a word found in the dictionary
  • Not be the name of your town, a loved one, or your favorite hobby
  • Should include upper and lowercase letters, numbers, and special characters ($, #, +, %, &)
  • Something that you change at least every one to two months

Hide Your Login Area

When you log in to your WordPress site, chances are you do so at yoursitename/wp-admin. Brute force attackers know this and look for these file name extensions in their attacks. You can thwart their efforts by moving this login page to another location. You can do this manually or through a plugin.

A few of the plugins that will do this for you include WPS Hide Login and Loginizer (see screenshot above). If you want to manually move the wp-admin page, it is slightly involved but can be accomplished by changing some code with these instructions.

Limit the Number of Login Attempts

One of the reasons that brute force attacks continue and that they work is that their attempts are unlimited. You can take away their power by limiting the number of times that someone can try to login to your website.

You can use WordFence (see screenshot above) to control the account accessibility such as limit the number of attempts for login failures, password forget attempts, use strong passwords, etc. The Loginizer, as mention earlier, this plugin also can accomplish this as can other plugins such as Limit Login Attempts. You decide how many login attempts from one IP are too many, and then the plugin will shut the door for a certain period of time.

Implement SSL

SSL protection on your WordPress doesn’t necessarily protect against phishing attacks, but it does provide several relevant benefits. First, many SSL providers will give you free website vulnerability analysis, so you will know where your weaknesses are and be able to address them quickly. More importantly, if your website is breached, your data will be encrypted so the thieves won’t be able to get anything that can cause harm to you or your clients. There is free SSL such as Let’s Encrypt that can be installed on your WordPress easily.

Turn Off HTTP Trace Functionality

Most brute force attacks, like cross site scripting (XSS) and cross site tracing (XST) are geared toward a system that has HTTP trace functionality enabled. In fact, 46.9% of all websites are vulnerable to an XSS attack. To give your website additional protection, you should consider turning off HTTP trace functionality.

Restrict Access

Even when you have a strong password and hide your login area, there might still be some attempts to infiltrate your site. Another thing you can do is to restrict access to the login page to only authorized IP addresses (this will only work if you have a static IP address).

If you do have a static IP address, you restrict access via your .htaccess file. Or, you can create a range of IP addresses that can access the site. The code is as follows:

order deny,allow

allow from MYIP

allow from MYIP2

deny from all

Use Captchas

Pre-login captchas are another way to stop or slow down attempts to access your website through your login page. These are particularly useful when you have a website that requires or encourages visitors to register to place an order or leave a comment. The use of captchas can cut down on the number of bots and spammers that will register for your site with other purposes in mind.

There are multiple captcha plugins, some free and some paid. It’s important to note that some captchas are more easily defeated than others. Determined hackers can simply subscribe to a service that will solve these puzzles in real time, which means that it pays to have other protections in place.

Two-Factor Authentication (2FA)

Using two-factor authentication whenever possible is also an excellent way to lock down your WordPress site and prevent access through a brute force attack. Even if your password is compromised, no one will be able to get into your site because they won’t be able to get past the second layer of defense.


Since manners have fallen by the wayside on much of the internet and brute force attacks are the rise, you just can’t be cautious enough with your WordPress site. If you don’t know how to do it, you can always refer to your administrators or hire a web designer who can help to protect you from hackers that would like to get access to your precious data.

Jason Chow is a digital marketer and WordPress fans from Webrevenue.io, a company that provides content and marketing for startups and online businesses. Twitter handle: @JasonCPF

Cyber attack stock photo by Maksim Shmeljov/Shutterstock