wordpress brute force attacks

Combating Brute force Attacks in WordPress and How to minimise it

Brute force attacks, one of the simplest form of attack on wordpress by which the hackers try to access to the admin panel of wordpress website by guessing or randomly generating passwords, over and over again.

Consequences being in the worst case the site being hacked or unwanted access gained to the admin panel. Other drawbacks being the server’s memory climbing up and then in turn resulting to website’s performance.

But some very basic precautions can easily avoid this kind of access. Hereby listing things to do to avoid these kind of attacks.

Selecting Good Username and Password

Most of the brute force attacks uses the default admin user name admin with auto generated passwords such as password1, password2 etc.

So it’s a basic common-sense to select a good admin username. It’s a good idea to use alphanumeric combination to select a good username.  Once the other admin user account is created, it’s a good idea to delete the old default admin user. Precautions must be taken if old admin user have created or uploaded content to pass on authority to new or selected admin so that none of the website content gets deleted.

Selecting Good Password

As with username password must be strong or at least something that someone can guess easily.

It’s a good idea to use a combination of letters, number and characters to be used as password. Need to be noted that some of the special characters are rejected by wordpress for both username and password due to security reason.

One of my favourite site to auto generate password is passwordgenerator.net

Using WordPress Security Plugins

There are number of wordpress plugin that helps in tightening the security of website. One of my favourite is Better WP Security.

This is a wonderful plugin and even the free version does many things and does help protecting websites. Few of the salient features are:

  • Hide default wordpress admin ie /wp-admin/ or /wp-login.php
  • File Change Detection
  • Email Notifications
  • Limit number of failed attempts allowed per user


More details can be found here.

Hiding Default Admin Login Page

There are few option in hiding url to admin login page.

One of the option is allowing the access to admin page only to limited ip address using .htaccess file by adding code below:

# Block access to wordpress admin

order deny,allow

allow from [numeric ip addres you want to add]

deny from all

Another way is to rename the url to new url address, using security plugin. Better Security plugin mentioned above does the job too.

These are fair few tips on saving your wordpress website form Brute Force Attacks in WordPress. If you are interested in learning more, details can be found here.

About Author

I am Robin - WordPress Developer based in Sydney. I work as Digital Developer. I do some projects now and then, and love blogging about WordPress and Web Design.