# WordPress brute force attack protection > Protect your WordPress login page from brute force attacks using LiteSpeed's built-in WordPressProtect directive. Source: https://www.kualo.com/knowledgebase/wp-security/wordpress-brute-force-attack-protection Updated: 2026-06-04 --- LiteSpeed includes a built-in brute force protection system for WordPress that limits repeated login attempts. You can enable it in minutes by adding a single directive to your `.htaccess` file. ## What is a brute force attack? A brute force login attack works by repeatedly guessing a site's username and password until the attacker gains access to the WordPress backend. Because WordPress powers such a large proportion of the web, it is a frequent target for this type of attack. ## How the protection works LiteSpeed's `WordPressProtect` directive limits the number of login attempts made within a five-minute window. Once the limit is reached, the server takes the action you specify. The full syntax is: ```apache WordPressProtect [off|on|drop|deny|throttle,] ``` The `` value controls how many login attempts are allowed before the action triggers. The accepted values are: | Value | Meaning | |---|---| | `0` | Same as `off` - disables protection | | `1` | Inherit the server-level setting (virtual-host use only) | | `5` to `1000` | Enable protection with this login limit | :::info Values below `5` (except `0` and `1`) are treated as `5`. Values above `1000` are treated as `1000`. ::: The three available actions are: - **throttle** - slow down further requests (default if no action is specified) - **drop** - close the connection immediately with no response - **deny** - reject the connection with a `403 Forbidden` response **Examples:** ```apache # Drop the connection after 10 login attempts WordPressProtect drop, 10 # Throttle the connection after 20 login attempts WordPressProtect throttle, 20 # Take the default action after 12 login attempts WordPressProtect 12 ``` ## How to enable the WordPressProtect directive You add the directive to the `.htaccess` file in the root of your WordPress installation. You can edit this file using File Manager in cPanel or an FTP client. :::tip The leading `.` makes `.htaccess` a hidden file. In cPanel File Manager, enable **Show Hidden Files** from the Settings menu. In your FTP client, enable the option to show hidden or dotfiles. ::: 1. Open File Manager in cPanel and navigate to your WordPress root directory (usually `public_html`), or connect via FTP. 2. Locate the `.htaccess` file. 3. Open the file for editing. 4. Add the following block at the very beginning of the file: ```apache WordPressProtect throttle, 5 ``` 5. Replace `throttle` with your preferred action (`drop` or `deny` if you prefer) and adjust the limit to a value between `5` and `1000`. 6. Save the file. The protection takes effect immediately - no server restart is needed. --- _Source: Kualo Knowledgebase — https://www.kualo.com/knowledgebase/wp-security/wordpress-brute-force-attack-protection · © Kualo Ltd._