A brute force attack is when bots repeatedly try different username and password combinations to gain access to your WordPress login page (wp-login.php or wp-admin). Because WordPress is widely used, these attacks are extremely common. The good news is that a few security measures can block most of them.
1. Use Strong, Unique Passwords
Your first line of defense is a secure password.
Best Practices
- Use at least 16 characters.
- Combine uppercase letters, lowercase letters, numbers, and symbols.
- Avoid dictionary words and personal information.
- Never reuse passwords from other sites.
Recommended Password Managers
- Bitwarden
- 1Password
- LastPass
2. Enable Two-Factor Authentication (2FA)
Even if your password is compromised, attackers cannot log in without a second verification code.
Recommended Plugins
- Wordfence Security
- Jetpack Security
- WP 2FA
Authenticator Apps
- Google Authenticator
- Microsoft Authenticator
- Authy
WordPress recommends 2FA as one of the most effective protections against brute force attacks.
3. Limit Login Attempts
By default, WordPress allows unlimited login attempts. Limiting failed attempts automatically blocks bots after several incorrect passwords.
Recommended Plugins
- Limit Login Attempts Reloaded
- Wordfence Security
Suggested Settings
- Maximum attempts: 3–5
- Lockout duration: 15–60 minutes
- Longer lockouts for repeated offenders
4. Add CAPTCHA or Cloudflare Turnstile
Bots struggle to solve CAPTCHA challenges, which greatly reduces automated login attempts.
Options
- Cloudflare Turnstile
- Google reCAPTCHA
5. Use a Web Application Firewall (WAF)
A WAF blocks malicious traffic before it reaches your site.
Popular Choices
- Cloudflare
- Sucuri
- Wordfence Security
Edge-level protection is especially effective because it stops bots before they consume server resources.
6. Disable or Restrict XML-RPC
The xmlrpc.php endpoint can be abused for distributed login attacks.
Disable XML-RPC If You Don’t Need It
- Disable XML-RPC-API Plugin
If you use the WordPress mobile app or some integrations, confirm they do not require XML-RPC before disabling it.
7. Change the Default Username
Avoid using common usernames such as:
- admin
- administrator
- test
Create a unique administrator account and remove any unnecessary admin users.
8. Keep WordPress Updated
Outdated software can introduce security vulnerabilities.
Update Regularly
- WordPress core
- Themes
- Plugins
Official Documentation
WordPress Security Handbook
9. Use Secure Hosting
Choose a host that includes:
- Malware scanning
- Web application firewall
- Daily backups
- DDoS protection
Managed WordPress hosts often provide login protection automatically.
10. Monitor Login Activity
Review logs and alerts to identify suspicious activity.
Useful Plugins
- Wordfence Security
- Jetpack Security
11. Back Up Your Website
Backups allow you to recover quickly if your site is compromised.
Backup Solutions
- UpdraftPlus
- BlogVault
Recommended Setup for Most Sites
For a practical and effective setup:
- Enable strong passwords.
- Turn on 2FA for all administrators.
- Install Limit Login Attempts Reloaded or Wordfence.
- Add Cloudflare Turnstile to the login page.
- Put the site behind Cloudflare.
- Disable XML-RPC if not required.
- Keep everything updated.
- Maintain daily backups.
This combination stops the vast majority of automated attacks.
Signs Your Site Is Under Attack
- Hundreds of failed login attempts
- Security plugin lockout notifications
- Increased CPU usage
- Slower site performance
- Unexpected admin users
These are common and usually do not indicate a successful compromise if protections are in place.
Final Thoughts
Brute force attacks are a routine part of operating a WordPress site. The most effective defenses are strong passwords, two-factor authentication, login rate limiting, CAPTCHA, and a firewall. With these safeguards, your site becomes much harder to compromise and performs more reliably under attack.