Protecting WordPress from brute force attacks

Protecting WordPress from distributed brute force attacks

Brute force attacks are one of the most common threats to WordPress sites - here is how to defend against them.

WordPress is one of the most widely used content management systems in the world, which makes it a frequent target for brute force attacks - automated attempts to guess your login credentials and gain access to your admin area.

A distributed brute force attack works the same way, but uses many different IP addresses at once, making simple IP blocking less effective. The steps below outline the key measures you can take to protect your site.

Use a strong, unique password and a non-default username

The single most effective defence is making sure your credentials are hard to guess.

Never use admin as your WordPress username. If you currently do, create a new administrator account with a different username and delete the old one.
Use a long, random password. A password manager makes this straightforward.
Each site should have its own unique credentials.

Limit login attempts

By default, WordPress allows unlimited login attempts. Installing a plugin that limits failed logins - and temporarily blocks the offending IP after a set number of failures - significantly reduces the risk from brute force attacks.

Search the WordPress plugin directory for a reputable login-limiting plugin. Look for one that is actively maintained, has a large install base, and has been recently updated.

Move or protect the login page

Most automated attacks target /wp-login.php directly. You can reduce exposure in two ways:

Password-protect the login page at the server level using a directory password (.htpasswd) via cPanel, so a second set of credentials is required before WordPress even loads its own login form.
Change the login URL using a plugin, so automated scanners cannot find it at the default address.

Enable two-factor authentication

Two-factor authentication (2FA) requires a second proof of identity - typically a time-based code from an authenticator app - in addition to your password. Even if an attacker guesses your password, they cannot log in without the second factor. Several well-maintained WordPress plugins provide 2FA for the admin area.

Keep WordPress, themes, and plugins up to date

Many attacks exploit known vulnerabilities in outdated software. Keeping everything updated closes those doors.

Enable automatic background updates for minor WordPress releases.
Review and update plugins and themes regularly.
Remove any plugins or themes you are not actively using.

Kualo's Patchman service automatically detects and patches known vulnerabilities in WordPress core, plugins, and themes on your hosting account, providing an additional layer of protection.

Use Imunify360

Kualo hosting includes Imunify360, a server-level security layer that detects and blocks malicious traffic - including brute force login attempts - before it reaches your site. No configuration is required on your part; it runs automatically.

Consider WP Toolkit

If your Kualo hosting plan includes WP Toolkit, it provides a security hardening feature that checks your installation against a set of best-practice rules and lets you apply fixes with a single click. You can access WP Toolkit from within cPanel.