How to Mitigate Brute Force Login Attempts on a WordPress Site

On
Blue Host Creative A boxer with black glovesIt's an open fact that a self-hosted WordPress site is often a prime target of hackers on the web. They use different ways to try penetrating a WordPress installation and one of them is the good old brute force login attack. Unfortunately, a good percentage of website owners are unaware of this potential threat and end up losing their site to a hacker. With a little awareness and a few steps taken preemptively, we can safeguard and limit the severity of these brute force login attacks. And, that's what we're going to learn in the following tutorial. Though one cannot stop these attacks altogether, but we can definitely mitigate it effectively. The tips and techniques discussed below can nullify these attacks to such an extent that it'll become almost impossible to penetrate your WordPress site through a brute force login method. One doesn't need to be a coding ninja to apply the defenses against such attacks. It's a one-time exercise one can complete in a few easy steps. If you're ready for it, make sure you've first taken a backup of your blog.

A boxer with black gloves
If you're not confident in applying the techniques mentioned below, do not hesitate in taking help of a professional. Apart from this, you can also strength the overall security of your WordPress site.

Read Also:
Beginners Guide to Securing a Self-Hosted WordPress Website


So, let's get started and learn about countering brute force login attacks aimed at our WordPress site. You can apply these security measures in any order.

1. Change the Default Login URL

Every CMS—by default—comes preconfigured with several default URLs to complete different types of actions and processes. And, one such action is the login process.

WordPress too uses a preconfigured default login URL domain.com/wp-login.php to facilitate access of dashboard for managing the website. And, that's what hackers use to launch brute force login attacks on a website. So, how to deal with this situation?

What if we change the default login URL to an entirely different URL which cannot be guessed—easily?

Custom WordPress login URL
To do so, we can use the WPS Hide Login plugin. Through it, you can easily create a random slug (see image above) for the login page.

Make sure you bookmark or memorize the new login URL else you won't be able to access the dashboard. This plugin simply intercepts the requests for the default login URL and redirects them to the page you've specified with the plugin settings.

2. Restrict Login Attempts With Lockout Periods

Now that we've changed the default login URL, it's time to move on to the next step to further strengthen our security against brute force login attacks.

If—somehow—a hacker manages to find the new custom login URL, we can restrict the number of unsuccessful login attempts one can trigger at a given time. It's a kind of mitigation to curb a large influx of brute force login attempts.

Login attempts restriction for a WordPress site
We can easily enforce these restrictions through the WPS Limit Login plugin. When activated, the default settings of this plugin are good enough to handle such attacks on most websites.

In case, you're experiencing a larger volume of such attempts, you can adjust the settings as per your requirements. The settings shown above are the recommended ones.

This specific measure is a huge obstacle for the hackers even if you're using the default login URL. So, make sure you do not skip this method and enforce it on your site—without any fail.

3. Use (2FA) Two Factor Authentication

Though the first two steps mentioned above are sufficient in countering brute force login attacks, there's no harm adding more cushion to it.

And, that can be done by adding one more authentication layer to the login process. With the advent of new technologies, we can add 2FA to the default WordPress login process.

Once configured, it requires verification of a soft token (kind of an OTP) to login to the dashboard.

Google Authenticator for 2FA in WordPress
And, to setup and configure this 2FA system on our WordPress site, we can use the 2FAS Light – Google Authenticator plugin. It's free-to-use and can be configured in no time.

Although the plugin recommends the use of Google Authenticator, I personally found Authy much better to work with. You can try out both to see which one fits your needs.

If you do not find this plugin—good enough—for your needs, you can try out other 2FA plugins as well.

4. Use Extremely Strong Passwords

Though it is quite obvious, still, a good percentage of WordPress users use extremely weak passwords. Sometimes, the site owner is completely unaware of this problem and sometimes he is completely ignorant. If it's the latter case, a hacked site's blame should be—entirely—on you.

So, go ahead, and check if you're using a weak password or not, If yes, change it with a stronger one—right away! There are two simple ways to do it.

Default WordPress password settings
The default WordPress password generation option accessible through the Generate Password button is what you should use instead of manually typing a comparatively weak password.

Or, you can use a password generator to instantly create a strong one with a click of a button.

In both cases, the generated password is quite difficult to remember, so make sure you've saved it in a secure vault on the web. The second option is—therefore—the recommended way to deal with it.

5. Use Cryptic Admin Username

It's the administrator's account that is the prime target of the hackers while launching a brute force login attack. If they already know the administrator's account username, half the battle has already been won.

Now, all they need is to crack the password. What if they don't know the username of the administrator's account? Naturally, it'll make things difficult for them. And, that's what we need to ensure.

Pro Tip: Always use an editor or author account to publish content on the site. Never use an admin account for the same. This way, you'll never expose your admin username to the public.


Generally, the administrator's account username is 'admin' which is obviously quite easily guessable. There are two ways to change this username to something different.

The first method is comparatively an easier one. And, for that, you'll need to install the Username Changer plugin. It's a lightweight plugin that does its job—flawlessly.

Change of username within WordPress dashboard
Once activated, this plugin adds a handy link to change the username with ease. Simply, click it and edit the current username to something that's difficult to guess.

Read Also:
How to Inspect Registered User Activities on a WordPress Site


The second method is the manual one. First, create a second administrator account with a username that's difficult to guess. Now, delete the old administrator account with a weak or simple username.

WordPress admin account deletion process
While deleting the old administrator account, you'll be asked to select a new administrator account, to which, all the old account's content should be attributed to.

From the drop-down list, select the new administrator account (see the image above) and click the Confirm Deletion button to complete the process.