Standing up against WordPress brute force attack

Jul 31

Standing up against WordPress brute force attack is not a difficult task especially if you have the right tools. A lot of hosting providers these days lock up the WordPress’s login page in case your WordPress is under a brute force attack. This may not by enough as the attackers won’t stop and the lock out time will become really annoying. Also your provider may not lock up the login page, so here are some steps in order to stand up against the attack.

  1. Install Better WP Security plugin
  2. This is a must have plugin. Although you can do almost all the work manually, having it will reduce the pain. Better WP Security plugin will allow you to do some of the following tasks easily.

  3. Change default WordPress admin username and remove user with ID 1
  4. This can be easily done using Better WP Security plugin. After successfully changing the default user and removing user with ID 1 your Better WP Security plugin should look like this:

    Better wp security dashboard

    Better wp security user section

    Attackers are usually targeting the default username, so even having an administrator username of admin123 could significantly reduce the likelihood of your site being successfully logged into by a malicious user.

  5. Use a strong password
  6. Just use some password generator tool to get a good one.

  7. Hide your backend
  8. This will save you some hassle. It will make it a little bit harder for attackers to find their way into your site. Go to the Hide tab in the plugin’s page, check the option and choose new slugs for login and admin pages.

    Better wp security plugin - Hide tab

  9. Limit Login Attempts
  10. These words from Better WP Security plugin best describe this point:

    If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attach, known as a brute force attack, is something that WordPress is acutely susceptible by default as the system doesn’t care how many attempts a user makes to login. It will always let you try again. Enabling login limits will ban the host user from attempting to login again after the specified bad login threshold has been reached.

    To limit the login attempts, just go to the login tab in the plugin’s page and configure it.

    better wp security - login tab

    I think it’s pretty easy to find your way in configuring this page but you will have to chose one of these:

    • Automatically ban the IPs
    • As said before this can be done by configuring the plugin. Set Max Login Attempts Per Host, Max Login Attempts Per User and Blacklist Threshold low. Set both Login Time Period (minutes) and Lockout Time Period (minutes) high. Turn on Blacklist Repeat Offender and you are done. Set back and watch the plugin panning the attackers.

      Tip: Attackers use a lot of IPs not only one. They may use the IP every couple of days. Setting a Login Time Period to a really high value will assure catching them. If you put it to 4320 (3 days) that means if a bad logins done through the same IP within 3 days it will be banned.

      Tip 2: Make a backup user (administrator) to keep your self safe. You can use it if the original user got banned for any reason.

    • Manually ban the IPs
    • You might need managing the banning process manually. You have to know how many time each IP tried logging in to your site. The log tab in Better WP Security plugin doesn’t show the IP of the attacker. So you will need to do it through the WordPress database. Run the following query:

      This will give you all the IPs who tried login with admin and how many times each IP tried logging in.


      Then you should ban the IPs through the Ban tab.

      Better wp security - Ban tab

      Tip 3: this query will get you the number of different IPs who tried logging in with admin:

For now, this should keep you safe. Good Luck 🙂

Leave a Reply