Prevent brute-force attacks on your WordPress site

By : Christopher Wray | July 15, 2015 | Blog

Prevent brute-force attacks on your WordPress site

July 15, 2015

What is a brute-force attack?

A brute-force attack is the simplest way for a bot or hacker to gain access to your website. Brute-force attacks work by trying hundreds of usernames and passwords in order to see if they can gain access to a website.

A brute-force attack bot acts very quickly, working through a multitude of possible usernames and passwords to see if they can gain access. Obviously the easier or shorter your password and username is, the faster it is to crack.

What happens when your site is attacked?

When a bot hits your website, it is counted as a visit, much the same as an actual person visiting would be counted. During a brute-force attack, your website server is placed under massive pressure, as each incredibly fast login attempt requires WordPress to check if the login is correct on the database, taking up a lot of resources on your server and causing performance problems, and in the worst case scenario, the possibility of your site crashing all together as the servers run out of memory and stop running.

How to prevent brute-force attacks-074

Does this only happen to WordPress sites?

No, this type of attack does not only happen to WordPress sites, but due to the popularity of WordPress, it is a more frequent target.

How do I protect my site?

There are several plugins available to assist with blocking brute-force attacks, however plugins can also use up resources on the server and you may wish to incorporate a simpler solution without the use of plugins.

1. Improve your login and password

The first way to protect your site is to make sure that your login name and password are strong. When the bots are key guessing, the number of characters used in the password plays a big role in the possibility of performing a brute-force attack; therefore the longer the password, the more difficult it is to crack. You should also make sure that your password contains a collection of numbers and letters and is not simply your first name or your son’s name.

How to prevent brute-force attacks-093

2. The best protection

One of the best ways to ensure your site remains secure is by using an .htaccess file which you can upload to your website directories via FTP. This method will create a HTTP AUTH., which once in place, will require you to use an additional username and password in order to get access to your wp-admin login prompt.

Why have another login prompt, you ask? The difference with the HTTP AUTH login prompt is that it does not make calls to your WordPress database to authenticate, therefore using far less resources and preventing your site from going offline during an attack.

Here is the code you will need for the .htaccess file. This code will need to be placed within your WordPress webroot directory. E.g.: /home/wordpress/public_html/

# Protect wp-login

<Files wp-login.php>l

AuthUserFile /home/myuser/.htpasswd

AuthName “Restricted area”

AuthType Basic

require valid-user


You will now need to create an .htpasswd file. This should be placed outside your webroot directory. There are various htpasswd generators available online.

Copy the generated text and paste it into your .htpasswd file which you will create outside your webroot directory.

How to prevent brute-force attacks-083

3. Using your IP address

Another means of protection is to use your IP address as a form of protection. This will cause all other IPs that try and access your wp-admin control panel to be blocked. This method is ideal if you’re only planning to use your wp-admin panel from specific locations such as your office or home.

For this to work you will need to place a .htaccess file within your wp-admin directory. E.g.: /home/wordpress/public_html/wp-admin/

Here is the code to add to your .htaccess file:

# Deny access to wp-admin.

order deny,allow

deny from all

allow from ‘myofficeipaddress’

To implement the above, you will need to replace ‘myofficeipaddress’ with the IP where you will be accessing the admin panel from. You can add several IPs by simply adding additional “allow from” lines to the .htaccess file. If you are unsure what your external IP is, you can click here to find out.

With any or all of the above methods in place, you can be sure that your site will suffer much less from brute-force attacks and you can rest assured that your site is protected. To read more about how to ensure your WordPress site is secure click here.

For top-class WordPress Web Hosting why not chat to us? We cater for anything from a small WordPress site to super-large WordPress sites.


Here are a few more articles we have written about WordPress:

How to disable the WordPress search from your WordPress site?

Is your WordPress site secure?

Comments are closed.


Like and follow us on social media to stay updated on our latest news, product launches and events.

For information regarding COVID-19 in South Africa, please visit
Click here to chat