WordPress Brute Force Protection | thefancyrobot.com

Stop WordPress Brute Force Attacks

Brute force attacks are the most common type of attack on WordPress websites. It’s an old-school technique and, by far, the easiest to implement. A brute force attack is when a malicious visitor tries to repeatedly log in to your WordPress website using different passwords each time. It’s easy to find a WordPress brute force script by simply searching google or GitHub.

The only way to completely stop brute force attacks is to instantly block the IP address of anyone that enters a wrong password. In doing so you will almost certainly lock yourself out of your own site and no one wants to deal with that mess. While I don’t recommend going through the paces necessary to completely stop brute force attacks, it is worthwhile to make it such a chore that it’s not worth the effort.

The easiest way to do this is to install a security plugin. I’m generally not one to immediately tell you to install a plugin, but security is a complicated and ever-changing landscape. Unless you intend to dedicate most of your time to solving security issues, I would say this is the first thing you should do after installing WordPress. A good security plugin will protect you from more than just brute force attacks as well.

While there are more than a few security plugins, I personally recommend Wordfence. There is a premium version of this plugin, but I’ve never found the need to pay for it. I also use BBQ in conjuction with Wordfence, and they work wonderfully together.

How To Set Up Wordfence

I’m not going to get very deep into the Wordfence settings, as that is outside the scope of this article, but I will show you what settings to change to defend against brute force attacks.

    1. In your admin sidebar go to
      Wordfence > firewall

      Wordfence Firewall Nav

    2. Select
      All Firewall Options

      All Firewall Options | thefancyrobot.com

    3. Scroll down to Brute Force Protection and change the settings accordingly

      I like to set the login failures and forgot password attempts to 3 just in case I have a brain fart when trying to log in to the backend of my sites. This has happened before and I’m sure it will happen again. Just be aware that if you lock yourself out, you will be locked out for whatever setting you choose. If you can deal with that, then go ahead and set those lower.

    4. The most common usernames used for a brute force attack when the username is unknown are:
      • admin
      • test
      • your primary domain (e.g. in my case that would be thefancyrobot
    5. Save your settings and you’re all set. This will lock out anyone trying to brute force your site for however long you’ve set. This makes it quite a pain for anyone to successfully carry out a brute force attack on your WordPress website.

Leave a Reply

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
minneapolis web desi Recent comment authors
newest oldest most voted
Notify of
minneapolis web desi
minneapolis web desi

This is an awesome post. Really very informative and creative contents.