WordPress Security: How to Prevent from Brute Force Attacks

WordPress – The most widely used Content Management System in today’s Internet world. Due to its popularity, it’s an incredibly attractive target for hackers. There are some attacks to be faced by WordPress websites. Today, I’ll explain you a bit about Brute Force – Most widely used attack for password protected entities.

Brute Force attack also referred as Dictionary attack. It is the most famous attack on Internet. What happens in Brute Force attack, the hacker tries all possible combinations of digits, letters and special characters to guess the password for your account.

Most of the attacks are automated. Running from an individual machine or high-speed servers against your site. It depends on resources how much time is taken to get the actual password.

Cloudways wordpress fast

How attackers ATTACK:

Wordpress Security How to Prevent from Brute Force Attacks

Usually, when we create a WordPress website. We set our Username as “Admin” and Password as “12345” or “admin”. Such kind of most common username and passwords are the best friends of Brute Force attacks. These usernames and passwords can be hacked easily within few minutes.

As we have the site owner username as “Admin” and Password is “12345”.

The attacker will try all possible combination of digits, letters and special characters against our account. It will continuously start verifying on each iteration. Once password matches. You’re HACKED!

How to Prevent from Brute Force Attacks:

There are a number of ways to prevent such kind of attacks. Below are few of them.


  1. Pick Strong Username & Password:

Choose a unique username and strong password after you’ve setup your WordPress site. From your WordPress Admin Panel, navigate to “Users > Add New”. Create a new user of a unique name (avoid using a dictionary word). Set an adamant password. Assign him “Administrator” role. Refer the image below.

External WordPress Security

Now, Logout. And login again from the newly created account. Navigate to Users and delete WordPress default user account. Typically named as “Admin”.


  1. Limit Login Attempts:

By default, WordPress does not allow to limit the login attempts. That means when login to an account fails continuously. It will not restrict the user to stop. There are many plugins in WordPress directory that can restrict users from login after particular failed login attempts. One of them is WP Limit Login Attempts.

External WordPress Security 1


From your WordPress Admin Panel. Navigate to “Plugins > Add New”. From the top right corner, search for “WP Limit Login Attempts”. Once found. Click on “Install” and “Activate” it.

After successful installation. Navigate to “Settings > WP Limit Login. You’ll see settings like below image. In its free version, you cannot change the default settings. If you want to configure according to your  needs, you can use its premium version.

External WordPress Security 2

After configuring, go to your WordPress login page. Remember you have 5 login attempts and a failed login attempt is shown below for your further clarification.

External WordPress Security 3

After all 5 login attempts. This message will be displayed and restrict that particular user for 10 minutes.

External WordPress Security 4

  1. Two Factor Authentication

The best way to prevent from Brute Force attack is using Two Factor Authentication. That means along with your password, a login code sent to your phone is also required for authentication. Internet giants like Gmail, Facebook, Twitter, LinkedIn, Hotmail, Yahoo mail and others are also using Two Factor Authentication for security.

You can also use Two Factor Authentication on your WordPress based website too. Clef and Duo Two-Factor Authentication are the most popular plugins for WordPress Two Factor Authentication.

  1. More Advanced Protection

For complete prevention from different kind of attacks, there are a number of Plugins available on WordPress directory. Some of the most popular are:

  1. Wordfence
  2. iThemes Security
  3. Sucuri Security
  4. All In One WP Security & Firewall

You can also read more about Brute Force attack from here.

After successful installation of your WordPress website. Security is most important factor. One should not ignore it. Last, but not the least. Your hosting plays a crucial role in securing your WordPress website. There are many Managed WordPress Hosting providers like Cloudways that provides 1-click installation of WordPress.

Feel free to ask any query by using comment section below.

Humble Request

if you really enjoyed this post please share this post to your friends so they learn something new and grow in digital marketing. Your valuable comments are oxygen for me.

About Jitendra Vaswani

Jitendra Vaswani is the founder of SchemaNinja WordPress Plugin, prior to SchemaNinja he is the founder of big internet marketing blog BloggersIdeas.com. During his more than 6+yrs long expertise in Digital Marketing, Jitendra has been a marketing consultant, trainer, speaker and author of “Inside A Hustler’s Brain : In Pursuit of Financial Freedom” which has sold over 20,000 copies, worldwide. He has trained 3000+ digital marketing professionals till date and has been conducting Digital marketing workshops across the globe from 5+ yrs. His ultimate goal is to help people build businesses through digitization make them realize that dreams do come true if you stay driven. Check out his portfolio( jitendra.co). Find him on Linkedin, Twitter, & Facebook.

1 Comment

  1. subhadip

    Great post Jitendra . But it’s not only brute force attack that can Couse problem to one’s website. Now a days we face different kind of attacks from hackers. So I think it’s very important to take care of our website or blog in a proper way.
    We should Always keep our WordPress installation up to date. We should Update our WordPress as soon as possible if there is any new WordPress update. Most of the times, hacked websites are those which are using an older version of WordPress. Older versions of WordPress always have a few known security issues
    We should always keep plugins and themes added in our blog updates to latest version. New versions always come with new features and security fixes. So, updating plugins and themes is necessary
    Download themes and plugins only from trusted sources. Nulled themes and themes from untrusted sources generally contain malware in the code. If you install any security plugin, you will be notified, but why to take risk. Avoid any unknown source for download plugins and themes.


Leave a Reply

Your email address will not be published. Required fields are marked *