Want to learn how to prevent brute force attacks on WordPress sites? then you have come to the right place.

According to Forbes figures, an average of 30,000 websites get hacked every day. And a study made in 2003, found that on average there is an attack every 39 seconds on the web and it’s 2023 RIGHT NOW. Therefore, protecting your WordPress website is crucial.

There are many types of cyber attacks that happen in the world today including password attacks (brute force attacks), phishing attacks, malware attacks, and DDoS attacks.

Password attack is a form of cyber attack wherein hackers try to crack your password with various programs and tools. There’re many varieties of password attacks such as brute force attacks, keylogger attacks, and dictionary attacks.

As we have discussed the basics, now it’s important to know what a brute force attack is and how it negatively affects your website.

Table of Contents

What is A Brute Force Attack?

Brute force is the most commonly used hacking method wherein attackers try to find out your valid login credentials to break into your website.

Hackers use automated software that try hundreds, thousands, and even millions of username and password combinations on a trial-and-error basis to gain access to your WordPress admin dashboard.

During brute force attacks, your WordPress login page is bombarded with too many requests and your web hosting server has to respond to these requests. This consumes your server’s resources (CPU/Memory) which leads to low performance, inaccessibility, or crash of your website.

You need to install a brute force protection tool to protect your WordPress website from brute force attacks like the iThemes Security PRO plugin (review).

What is Brute Force Protection?

Brute force protection keeps your website secure by limiting the failed login attempts per host or user in a set period of time and blocking malicious IP addresses.

There’re many plugins that help you stop brute force attacks including the iThemes Security plugin.

iThemes Security (review) is the best WordPress security plugin that enhances your WordPress website’s security by using 30+ ways. The LOCAL and NETWORK brute force protection features are included in the free version of the iThemes Security plugin.

You need to install the best security plugin like iThemes Security and follow the best security practices to stop brute force attacks on your WordPress website.

How to Prevent Brute Force Attacks on WordPress Site?

Do you know what will happen if your website gets hacked? It will depend on the context and activity of your website but it’s expected that you’ll lose brand reputation, the confidence of users & customers, and search engine ranking as well as your revenue will be dropped.

Hence, you have to implement the following best security practices to protect your WordPress website from brute force attacks.

#1. Use Unique and Stronger Password

Your password is the first line of defense for your website. This is why you should use a unique, stronger, and hard-to-guess password for your website.

To create a unique, stronger, and difficult-to-guess password, you should follow these tips.

Your password length should be 10-50 characters
Use uppercase and lowercase letters
Use numbers and special characters
Change your password every 4 months

How to Set Up Strong Password For Your WordPress Website?

If you use a weak password for your WordPress admin dashboard, then create a stronger one by applying the following steps.

Click Users from the left sidebar menu, it will show you all the users’ profiles. Next, click Edit just below your username.

This will bring you to your profile management section.

Scroll down to the Account Management field and click the Set New Password button, it will automatically generate a stronger password but you can also enter your own one.

Finally, scroll down to the bottom and click the Update Profile button to change your password.

If you want to force other users to change their passwords to stronger ones, you should install the iThemes Security plugin.

iThemes Security plugin allows you to force users to use strong passwords, refuse compromised passwords, and set up password age (after that the password will be expired).

After installing and activating the iThemes Security plugin, follow this sequence. Security (from the left side menu) >> Settings (from the dropdown menu) >> User Groups >> Features >> Password Requirements.

There you have to toggle on Strong Passwords, Refuse Compromised Passwords, and Password Age features.

Don’t forget to click the Save button to make changes live. Now it will force users to use strong passwords, refuse compromised passwords, and set up a new password after expiration.

Avoid Admin Username: When you install WordPress, make sure to avoid the Admin username and use a different one. Although if you have, then you should change it.

#2. Add Two-Factor Authentication

Logging into your website with just a password is a single-step verification. But you can also add two-step verification or two-factor authentication to your WordPress website.

Two-factor authentication adds an extra layer of security to your WordPress login. It requires an additional passcode behind your username and password.

How to Add Two-factor Authentication to Your WordPress Website?

There’re two cases when enabling two-factor authentication on your WordPress website.

Premium: If you want to use an all-in-one security solution, then iThemes Security PRO is the perfect option. It includes 30+ features including two-factor authentication to keep secure your WordPress website.
FREE: If you want to use a free separate plugin, then you should use the Two Factor Authentication plugin.

I’ve enabled two-factor authentication in iThemes Security plugin as I have its PRO version. But let me show you how to set up two-factor authentication on your WordPress website using the free method.

Install and activate the Two Factor Authentication plugin and navigate to its tab (called Two Factor Auth) from the left sidebar. There you will find the QR code and private key which you have to enter into the authenticator apps like Authy or Google Authenticator.

Copy the private key and paste it into your authenticator app’s account.

Quick Note: You need to create your account in an authenticator app like Authy.

I use the Twilio Authy app for this purpose. Click on the plus (+) icon from the top menu in the Twilio Authy app and then you’ll be asked to enter your private key in the box.

After that, click Add Account button, so it will be added, and then it will automatically generate one-time passcodes that will be expired within the next 30 seconds.

Quick Note: Remove inactive users such as administrators, authors, and contributors if they haven’t enabled two-factor authentication because attackers will target them. So all you have to do is to assign their published posts to yourself and then delete their profiles.

#3. Limit the Failed Login Attempts

WordPress has no built-in feature that limits failed login attempts, hence attackers try an unlimited number of times to log into your WordPress admin panel. Therefore, you must restrict the failed login attempts.

How Limit the Failed Login Attempts?

iThemes Security plugin automatically limits the number of failed login attempts per user in a specified time.

The plugin has pretty much default settings for blocking users or hosts. It locks out them after 5 failed login attempts in 15 minutes.

If you want to change these settings, navigate to this sequence. Security (from left sidebar menu) >> Settings (from dropdown menu) >> CONFIGURE >> Global Settings.

There you can adjust the settings like minutes to lockout, days to remember lockouts, ban threshold, and lockout message.

#4. Hide the WordPress Login Page

By default, the new WordPress website’s login page can be accessed through /wp-admin or /wp-login.php, this means attackers know how to access your WordPress login page. This is why you should hide your WordPress login page.

You can mask your WordPress login page by changing its URL structure using the iThemes Security plugin. This makes it harder for attackers to find and access your WordPress login page.

How to Hide the WordPress Login Page?

You can easily change your wp-admin WordPress login URL using the iThemes Security plugin.

Just follow the sequence, Security (from left sidebar menu) >> Settings (from dropdown menu) >> Advanced >> HIDE BACKEND.

Firstly check the box of Hide Backend, enter your login slug in the first field, and then add a redirection slug. Lastly, click on the Save button to make changes.

#5. Enable Brute Force Protection in iThemes Security

iThemes Security has two brute force protection features: Local Brute Force Protection and Network Brute Force Protection.

Local Brute Force Protection: This locks out users who attempt to access your website per lockout rules specified locally on your WordPress website.
Network Brute Force Protection: It bans users who have tried to break into other websites from breaking into your website.

How to Enable Brute Force Protection in iThemes Security Plugin?

Toggle on both features in iThemes Security plugin by following this sequence. Security (from the left side menu) >> Settings (from the dropdown menu) >> Features >> Lookouts.

#6. Implement CAPTCHA

CAPTCHA differentiates between humans and bots, so only humans will be able to perform certain actions on your website.

iThemes Security PRO allows you to add CAPTCHA to your WordPress login page, comments section, and contact form. This ensures stopping bots from trying to log into your website, leaving a comment, and sending you a message.

Quick Note: If you want to use a free separate plugin, then you should use Google Captcha, which is good.

#7. Use A Web Application Firewall

During brute force attacks, your WordPress login page is bombarded with an unlimited number of requests, which significantly slows down your website. To filters out web requests, you should use a Web Application Firewall (WAF).

Web Application Firewall checks incoming web requests and filters out bad traffic, so that only genuine requests will be sent to your web hosting server. This protects your website from the most common types of attacks.

Cloudflare is one of the best Web Application Firewalls that create a shield between your application and the internet. This shield stops many common attacks.

Conclusion

Brute force attack is the common form of password attack wherein hackers attempt to guess your valid login credentials (username and password).

Even if brute force attacks aren’t successful, they significantly slow down your website. Thus, you need to implement the aforementioned best security practices to stop brute force attacks on your server.

I hope you found useful our guide about how to prevent brute force attacks on WordPress websites.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.