How To Protect WordPress Website From Brute Force Attacks

Posted by TotalDC

WordPress is one of the most popular Content Management System (CMS) available. Its popularity is the reason why it is highly targeted by attackers. In this article let’s talk about how to protect the WordPress website from brute force attacks.

In this article you will learn:

how you can protect your wordpress website from brute force attacks

What Is A Brute Force Attack?

Brute force attack or brute forcing is one of the leading causes of website compromises and is similar to a trial and error method. The objective of the attacker is to gain access to the server level of your website by using various username and password combinations repeatedly until it succeeds.

A brute Force Attack is an attack on the weakest link in a website’s security. Sucuri, a security company focusing on spotting and repairing compromised websites, reports at least 770000 brute force attacks (that is a lot) every hour.

Types of Brute Force Attacks

There are many variants of this attack to increase its success rate. Here are the most common:

Simple Brute Force Attack

A simple brute force attack can use different methods like iterating through all possible passwords. This is commonly used on local files where there are no limits to the number of attempts you have.

Dictionary Attack

This attack uses the list of words and common passwords instead of going randomly, building a list of possible passwords, and iterating through them. Using a good password list can help to improve the attacker’s success rates, but again these attacks require a large number of attempts.

Hybrid Brute Force Attack

A hybrid attack uses both the dictionary attack and a regular iterative pattern. Instead of trying all passwords, it will perform small modifications to words in a dictionary such as adding numbers or changing the case of letters.

Credential Stuffing

With a growing amount of data breaches, password reuse is an easy way to compromise specific accounts reusing passwords. Credential stuffing attacks have a low rate of success and primarily rely on lists of usernames and passwords commonly found in data breaches. Hackers are just using these lists to attempt to log in with these stolen credentials.

Reverse Brute Force Attack

In this method, the attacker will try to use one password and try to match it against many user names.

How to Protect WordPress Website From Brute Force Attacks

A Brute Force Attack can be minimized, if not avoided, as long as you follow these steps.

Keep Everything Updated

WordPress themes and other plugins update their version to keep them safe from vulnerabilities and to fix bugs. Updating will help to protect your website from known exploits. You have to make sure that you keep a backup before doing updates. You may want to look for updates for the WordPress version, theme, and plugins.

Use Strong Passwords and Change Them Regularly

You guessed it right. The best way to protect your site is to use strong passwords and make sure not to keep the same password for a long time. If your website has multiple login accounts, it’s important to make sure that all your users follow these rules in making strong passwords:

  • Keep your passwords long. Use a minimum of 8 characters.
  • Keep it complex. Do not use dictionary words.
  • Keep it mixed. Use a combination of numbers, upper- and lower-case alphabets, and non-alphanumeric characters.
  • Check if your password is a common password.

Avoid Common Usernames

This is especially important for administrator accounts. You don’t want to use the default username “admin” or any similar username containing the same word. Doing so will significantly increase the chance of your website being attacked by hackers.

Use Two Way Authentication

For additional security, you can activate two-way authentication. The only con to this is that you would need to have your phone with you all the time.

What If Someone Already Hacked Your Website?

You can still recover from this miserable event. Try to regain admin access to your site. If your password was changed, you can simply get access again by using the ‘forgot password’ option. If this has failed, get in touch with your hosting provider.

Change All Your Backend Passwords

This is a super important thing to do when you regain access to your hacked website. You have to make sure that you use strong passwords so you can avoid further damage being done to your website.

Identify the Damage Done

Scan your website with online malware scanners like Google’s Safe Browsing.

Restore from Backup

If you keep regular backups, you can restore your most recent backup just make sure the backup that you chose was from before your website was hacked.

Check and Change User Permissions

Checking user permissions, especially if many accounts can access admin settings, should be done to prevent other users access while you are fixing your site.

Secure wp-config.php

Secure your wp-config.php file and close all the backdoors that the hacker may have left. You will need professional help for this.


Your website being compromised is one of the worst experiences a website manager can go through. So planning ahead and hardening the security of your website should never be taken lightly.