How to Protect Your WordPress Site from Brute Force Attacks (Step by Step)

Do you want to protect your WordPress site from brute force attacks? These attacks can slow down your website, making it inaccessible, and even crack your password to install malware on your website. In this article, we’ll show you how to protect your WordPress site from brute-force attacks.

What is a Brute Force Attack?


Brute Force Attack is a hack method that utilizes trial and error techniques to break into a website, network or computer system.


Hackers use automated software to send a large number of requests to the target system. With each request, this software attempts to guess the information needed to gain access, such as a password or pin code.


These tools can also disguise themselves by using a different IP address and location, which makes it more difficult for a targeted system to identify and block suspicious activities.


A successful brute force attack can provide access to the admin area of ​​your website hackers. They can install a backdoor, malware, steal user information, and delete everything on your site.


Even successful brute force attack can wreak havoc by sending too many requests are slowing WordPress hosting server and even crash them.


That being said, let’s look at how to protect your WordPress site from brute-force attacks.

Step 1. Install WordPress Firewall Plugin


brute force attack puts a lot of load on your server. Even people who fail to slow down your website or actually crash the server. This is why it is important to block them before they get to your server.


To do that, you will need a firewall solution website. Firewalls filter out bad traffic and a block from accessing your site.

There are two types of firewalls sites that you can use.Install a WordPress Firewall Plugin


Application Level Firewall – firewall this plugin check traffic after reaching your server but before loading the script most WordPress. This method is not efficient because of the brute force attack can still affect your server load.


Site-Level DNS Firewall – firewall routes traffic your website through their representatives cloud server. This allows them to simply send traffic to web hosting sincere your primary server while giving a boost to the speed and performance of your WordPress.


We recommend using Sucuri. This is an industry leader in security and firewall WordPress sites on the market. Because the firewall sites DNS level, it means that all of your Web site traffic running through their proxy in which the bad traffic is filtered.


We use Sucuri on our website, and you can read the complete Sucuri us to learn more.

Step 2. Install WordPress Updates


Some common brute-force attack to actively target known vulnerabilities in versions of WordPress, the popular WordPress plugin, or theme.


WordPress core and most popular WordPress plugins are open source and vulnerabilities are often fixed very quickly with an update. However, if you fail to install the update, then you leave your website vulnerable to the threats of old.


Simply go to the Dashboard » Updates on the WordPress admin area to check for available updates. This page will display all of your WordPress updates for core, plugins, and themes.

Install WordPress Updates

For more details, see our guide on how to properly update a WordPress plugin.

Step 3. Protect WordPress Admin Directory


Most brute force attacks on WordPress sites try to gain access to the WordPress admin area. You can add password protection on your WordPress admin directory on the server level. This will block unauthorized access to your WordPress admin area.


Simply log into your WordPress hosting control panel (cPanel) and click on ‘Directory Privacy’ icon under the Files section.


Note: We use Bluehost at our screenshots but the same settings available in other top hosting companies also like SiteGround, HostGator, etc.

WordPress Admin Directory

Next, you need to look for wp-admin folder and click on the folder name.

WordPress Admin Directory

cPanel will now ask you to give a name for the folder restricted, username, and password. After entering this information click on the save button to save your settings.

WordPress Admin Directory

WordPress admin directory now be password protected. You will see a new login prompt when you visit your WordPress admin area.

WordPress Admin Directory

If you encounter an error message 404 or error too many redirects, then you need to add the following line to your WordPress .htaccess file.

ErrorDocument 401 default

For more details, see our article on how to password protect your WordPress admin directory.

Step 4. Add Two-Factor Authentication in WordPress


two-factor authentication adds an additional security layer to your login screen WordPress. Basically, users will need their cell phones to generate a one time passcode along with their login credentials to access your WordPress admin area.

Two-Factor Authentication in WordPress

Add two-factor authentication will make it more difficult for hackers to gain access even if they are able to solve your WordPress password.


For a detailed step-by-step instructions, see our guide on how to add two-factor authentication in WordPress

Step 5. Use Strong Passwords Unique


The password is the key to gain access to your WordPress site. You need to use a unique strong passwords for all your accounts. A strong password is a combination of numbers, letters and special characters.


It’s important that you use a strong password for WordPress user account not only you, but also for FTP, web hosting control panel, and the WordPress database.


Most beginners ask us how to remember all these passwords unique? Well, you do not need. There is a good password manager apps available that will safely store your passwords and automatically fill them for you.


To learn more, see our beginner’s guide on how best to manage passwords for WordPress.

Step 6. Turn off Directory Browsing


By default, when you do not find the web server index file (ie a file like index.php or index.html), it will automatically display the index page showing the contents of a directory.

Brute Force Attacks

During the brute-force attack, the hacker can use the directory to locate the file browsing vulnerable. To fix this, you need to add the following line at the bottom of your WordPress .htaccess file.

Options -Indexes

For more details, see our article on how to disable directory browsing on WordPress.

Step 7. Execute Disable WordPress PHP files in Folder Specification


Hackers may want to install and run a PHP script on your WordPress folder. WordPress is written mainly in PHP, which means you can not disable that in all WordPress folder.


However, there are some folders that do not require a PHP script. For example, your WordPress upload folder located in the / wp-content / uploads.


You can safely disable the execution of PHP in the upload folder which is a public place hackers use to hide a backdoor file.


First, you need to open a text editor such as Notepad on your computer and paste the following code:

<Files *.php>
deny from all

Now, save this file as .htaccess and upload it to the / wp-content / uploads / folder on your website using an FTP client.

Step 8. Install and Setup WordPress Backup Plugin

WordPress Backup Plugin

Backup is the most important tool in the arsenal of your WordPress security. If all else fails, then the backup will allow you to easily restore your website.


Most WordPress hosting companies offer unlimited backup option. However, this backup is not guaranteed, and you are responsible for making your own backups.


There are some great WordPress backup plugin, which allows you to schedule automatic backups.


We recommend using UpdraftPlus. This is beginner friendly and allows you to quickly setup automatic backup and store it in a remote location such as Google Drive, Dropbox, Amazon S3, and more.


For step-by-step instructions, see our guide on how to backup and restore your WordPress website with UpdraftPlus


All the tips mentioned above will help you protect your WordPress website against brute-force attacks. For a more comprehensive security setup, you must follow the instructions in our main WordPress security guide for beginners.


We hope this article helps you learn how to protect your WordPress site from brute-force attacks. You also might want to look out for signs that your WordPress hack and how to fix the hacked WordPress sites.

0 CommentsClose Comments

Leave a comment

subscribe to newsletter

Get the latest posts and articles in your email

We promise not to send spam 

subscribe to newsletter

Get the latest posts and articles in your email

We promise not to send spam 

subscribe to newsletter

Get the latest posts and articles in your email

We promise not to send spam