Kualo / docs
On this page

WordPress brute force attack protection

Protect your WordPress login page from brute force attacks using LiteSpeed's built-in WordPressProtect directive.

2 min read Updated 4 Jun 2026

LiteSpeed includes a built-in brute force protection system for WordPress that limits repeated login attempts. You can enable it in minutes by adding a single directive to your .htaccess file.

What is a brute force attack?

A brute force login attack works by repeatedly guessing a site's username and password until the attacker gains access to the WordPress backend. Because WordPress powers such a large proportion of the web, it is a frequent target for this type of attack.

How the protection works

LiteSpeed's WordPressProtect directive limits the number of login attempts made within a five-minute window. Once the limit is reached, the server takes the action you specify.

The full syntax is:

WordPressProtect [off|on|drop|deny|throttle,] <limit>

The <limit> value controls how many login attempts are allowed before the action triggers. The accepted values are:

Value Meaning
0 Same as off - disables protection
1 Inherit the server-level setting (virtual-host use only)
5 to 1000 Enable protection with this login limit

Values below 5 (except 0 and 1) are treated as 5. Values above 1000 are treated as 1000.

The three available actions are:

  • throttle - slow down further requests (default if no action is specified)
  • drop - close the connection immediately with no response
  • deny - reject the connection with a 403 Forbidden response

Examples:

# Drop the connection after 10 login attempts
WordPressProtect drop, 10

# Throttle the connection after 20 login attempts
WordPressProtect throttle, 20

# Take the default action after 12 login attempts
WordPressProtect 12

How to enable the WordPressProtect directive

You add the directive to the .htaccess file in the root of your WordPress installation. You can edit this file using File Manager in cPanel or an FTP client.

The leading . makes .htaccess a hidden file. In cPanel File Manager, enable Show Hidden Files from the Settings menu. In your FTP client, enable the option to show hidden or dotfiles.

  1. Open File Manager in cPanel and navigate to your WordPress root directory (usually public_html), or connect via FTP.
  2. Locate the .htaccess file.
  3. Open the file for editing.
  4. Add the following block at the very beginning of the file:
<IfModule Litespeed>
    WordPressProtect throttle, 5
</IfModule>
  1. Replace throttle with your preferred action (drop or deny if you prefer) and adjust the limit to a value between 5 and 1000.
  2. Save the file.

The protection takes effect immediately - no server restart is needed.

Was this helpful?
Your feedback helps us find gaps in the docs.
Related articles
Security & maintenance
Securing your WordPress installation
Keeping WordPress secure is an ongoing task. This guide explains what we already do at the...
Security & maintenance
Protecting WordPress from distributed brute force attacks
Brute force attacks are one of the most common threats to WordPress sites - here is how to...
Security & maintenance
WordPress auto updates – how they work and best practice
Keeping WordPress up to date is essential for security, but applying updates without testi...
Security & maintenance
How to disable wp-cron.php and set a real cron job in cPanel
WordPress runs scheduled tasks using wp-cron.php, which fires on every page load by defaul...
Still need a hand?
Real people, around the clock - start a chat or open a ticket and we'll help you put it right.
Contact us Start a chat