How to Protect Your WordPress Website from Brute Force Attacks

Brute-forcing is one of the first, most primitive type of cyber-attacks, due to its availability of integration versus all types of websites and platforms. Over time, the progression of a website’s complexity of usage and function has then given the birth of other types of more advanced attacks.

However the first of which has always been the most basic of such that can be applied to a mass number of situations, such as the brute force approach.

What Exactly is a Brute Force Attack?

When it comes to cybersecurity, there are all sorts of malicious attacks one may engage in towards getting past the security of your website. One of which, controversially is considered to be an attempt of guessing a username/password combination via “brute force attacks” which action we call “brute forcing.”

This attack type is not native only to WordPress but happens with all the web apps out there. However, since WordPress is popular, it’s a frequent target.

How Effective and Dangerous Is It?

A common misconception about brute-forcing is that people consider it to be an effective method of obtaining control over one’s website, while in reality, the chance of success of such an attack towards a website with a moderately secure password is slim to none.

The attack itself is quite widespread in terms of occurrences due to its popularity and mass availability, which comes from the fact that it is simply easy to set up. However, without the exact knowledge of what you are doing most such attacks are predestined to fail.

What Does the Attack Include?

A brute force attack consists of a predefined “wordlist” of username(s) and passwords which are then combined into one text file. This file is then used in combination with various types of different programs/software towards the login form fields of your website, or through any file, your application may have that accept user login data in attempts to find a possible match.

What Can We Do Towards Preventing It?

Prerequisite: Create a Strong Complex Password

The most common ways of protecting against such an attack are honestly the most effective as well. To put it simply, if your password is not in the attackers’ wordlist, they can’t get in. These wordlists usually consist of: dictionary words, random letters/number combinations, phrases, expressions, common names, countries, towns, and basically anything you can think of that isn’t absolutely random.

While we would never recommend a password generator, because even though they are based upon some algorithm of creation, dragging my hand through the keyboard will always create an impenetrable password.

On a technical level: Strong Server Protection

On a server level, all of our servers come with pre-installed Firewalls, WAF, BitNinja, and other top-quality security protocols which will mitigate nearly 80% of all attack attempts before they even start. Learn more about how FastGuard protects your website and the technologies we use

For those who do get past the initial defense, we suggest arranging the following security reinforcements:

  • Whitelist IP Address. If you would like to cut off any chance a hacker may have of getting a glimpse of the insides of your WordPress dashboard, it’s about time to limit the access to the administrator and his staff only, you can do this by creating or modifying your existing .htaccess file by adding the following code to it:
# Block access to wp-login.php
<Files wp-login.php>
 order deny, allow
 allow from XXX 
 allow from XXX 
 allow from XXX 
 deny from all


Whitelist IP Address to Limit WordPress Site Access
  • Password Protect the WordPress Dashboard. This feature can be enabled either manually through the .htaccess, but we recommended using the Directory Privacy feature which you can select from inside of the cPanel.
Password Protect the WordPress Dashboard

Afterward, go into the folder of your WordPress website, wherever you have it installed and select the /wp-admindirectory, for which you will be creating the authentication page.

WordPress Set Permissons

It will then require a SECOND username and password from anyone who is trying to access the admin dashboard, even after a successful initial login.

WordPress Create User for Accessing Dashboard
  • Cloudflare WAF. Tough luck, you are not getting past that. Applying Cloudflare gives you a lot more features than just it’s main marketed feature, which is the CDN function, which makes your website load at top performance all across the earth by having it load up from their closest mirror server depending on the website viewer’s current geographical location, granting it a higher accessibility rate.

    For really serious situations where you have noticed a tendency of often hacking attempts towards your website we strongly recommend you enable Cloudflare for it’s WAF feature, which is updated against the newest types of attacks and hacking methods weekly. On the Cloud VPS/Dedicated CPU Server hosting structure, it is possible to access a website via either it’s a domain name or a selected IP address, on Shared Hosting; however it is only possible to access your site via a domain name, giving it one point of entry. Having applied Cloudflare under these conditions, a hacker will then only be able to access your website through your WordPress website’s domain where all automated attacks will inevitably be blocked within the first 30 seconds given that they were able even to start at all.
WordPress Security Scanner by the WPScan Team

To Wrap it Up

As a finish to the topic – it’s a paradox, but cybersecurity is as complex as it is simple. Keep your passwords safe, and we will keep your hosting safer. Verify that you comply with the steps of this guide and you are guaranteed never to fall victim to a keyboard burglar 🙂

Daniel G.

Daniel works in Customer Sucess at FastComet. A self-described 'massive geek' and cybersecurity enthusiast, Daniel draws on his skills to research, understand, and disseminate Performance Monitoring complex topics to reach FastComet's technical audience.