Brute force attacks can be a big problem for WordPress administrators. If you’ve found your admin page hit with a barrage of failed login attempts, then you’re probably wondering how best to stop it.
And if this hasn’t happened to you yet, you’ll want to be proactive. A successful brute force attack can lead to a whole host of bad things, including hacked WordPress accounts, website defacement, and malware infections, among other serious issues.
Luckily, there are plenty of ways to prevent brute force attacks, or at the very least reduce their impact. Some are possible with a default WordPress installation, while others work with specific plugins. In this post, we’ll dive into some of the best ways to prevent and reduce brute force attacks, as well as provide some general information on the topic.
Table of contents
What are brute force attacks in WordPress?
A brute force attack is a method bad actors use to gain access to your WordPress website. They do this by systematically trying a large number of password/username combinations, often using automated scripts or bots.
In a brute force attack, bad actors will often deploy automated scripts that crawl the web looking for WordPress website login pages. When they find one, the bot proceeds to test a large number of username and password combinations, attempting to guess the correct one.
Types of brute force attacks
Brute force attacks come in various forms, including.
- Simple brute force attacks – These are the most “inefficient” brute force attacks since they go through all possible combinations one by one. This means that it generally takes far more tries to successfully guess a password than with the other types.
- Dictionary attacks – Dictionary attacks are a smarter version. Bad actors use long lists of common passwords and try each of them in turn, often including common words from the dictionary and variations of them, for example, with amended numbers. Dictionary lists can be found online and therefore, these days, these “smarter” brute force attacks are more common.
- Credential stuffing – In this sophisticated form of brute force attacks, cybercriminals use stolen username and password combinations obtained from past data breaches on other platforms. Automated bots test these combos on various WordPress websites. Since people tend to reuse passwords across different platforms, this can be very effective. This is the reason why security best practices insist on not reusing passwords you use on other accounts.
- Reverse brute force attacks – In a reverse attack, rather than trying thousands of passwords against a known username, attackers try a common password or list of passwords against multiple guessed or enumerated usernames.
Does WordPress have brute force protection?
Unfortunately, out of the box, there’s very little in the way of WordPress brute force login protection. By default, WordPress allows for unlimited login attempts, so bots are free to execute as many login attempts as they want, assuming they’re not blocked in other ways.
There are also several aspects of WordPress that make it a common target for these attacks. The most important one is that, by default, the login page is always located at the same URL. This means it’s very easy for anyone to find it and start running a brute-forcing script on it.
Also, the default username for the administrator is always “admin”. This means that bad actors don’t need to waste time trying to guess your username if you have stuck with the default setup.
Given the above, you’d think that you’re starting on the back foot when using WordPress. However, this isn’t necessarily the case.
Sure, there are aspects of a default WordPress installation that make it an easier target. However, by changing a few settings and installing the right plugin, you can quite easily mitigate these things.
As a matter of fact, you can actually harden the WordPress login page/process to such an extent that it becomes extremely hard for a brute force attack to be successful. We’ll cover how to do this next!
How can you prevent brute force attacks?
There are various setting changes and controls that can be implemented to prevent WordPress brute force attacks. Some of these can even have a major impact on their own. However, it’s always a good idea to implement multiple controls to really get the best results. Things happen: A functionality could fail temporarily, or a developer could accidentally change a setting. By layering multiple controls, you can prevent a single point of failure from causing issues in the future.
By limiting the number of failed login attempts, you can prevent most types of brute force attacks that rely on cracking a password for individual users.
Change the login URL
WordPress’s standardized nature is its bane and benefit; learning it is very easy, and starting a new WordPress website is fast once you’re used to the platform. But every WordPress install is set up the same way initially, which makes it easier for anyone to break in, especially with automated tools.
By default, the login page for WordPress is always located at the same URL, which is yourwebsite.com/wp-login.php. It’s easy for bad actors to scan for these URLs, giving them plenty of targets for brute force attacks. Not only that, but the standardized nature also makes it very easy to create a bot for the WP login form, which can be used on all of the login pages they find.
Changing the login URL is a great way to obscure the point of entry attackers rely on. Most bad actors and their bots are just looking for easy targets – they may try a few other obvious alternate URLs like /login, but will quickly move on if they can’t find the WordPress login page. After all, there are millions of WordPress sites.
Changing the WordPress login URL can help prevent basic crawlers from discovering your login page, potentially reducing the number of brute force attacks you have to deal with.
Now, this is far from foolproof. In more targeted attacks where a bad actor has a particular interest in your site, they can perform site scans to try and uncover your login page. So it does very little to stop a more committed attacker. However, for brute force attacks that use a script searching for default WordPress login URLs, this is a pretty good security control to implement.
Password protect the WordPress admin directory
Changing the login URL alone is not always good enough to stop people from getting to a login page. Using a site scan or similar methods, a determined bot or individual can usually still find your login page.
As an extra layer of protection, it’s possible to password-protect the admin directory. Anyone who navigates to your WordPress admin pages, including your login page, will be prompted to enter a password before they can even attempt to log in with an account.
This means that a bad actor would first need to crack this password before they’d even be able to attempt a brute force attack on the actual login form.
Change the default WordPress username
Another quick step you can take is to change the default admin username. By default, all original WordPress administrators have the username “admin” which means bad actors don’t have to guess the username if you use the default one.
Changing this username to something less predictable can reduce the effectiveness of certain automated brute force attacks. However, this isn’t going to stop the majority of brute force attacks like some of the other controls mentioned in this list. Nevertheless, it can be worth doing, especially for important accounts with lots of permissions, like your administrator account.
Use and enforce strong passwords
One of the most important ways to keep bad actors out is by ensuring your WordPress site users use strong passwords. You can achieve this by enforcing strong password policies. Strong passwords won’t stop bad actors from trying, but they will reduce the likelihood of them getting access to your accounts.
Weak passwords mean that brute force attacks are much more likely to succeed, as these can be easily guessed and are easier to crack than longer, complex passwords.
A strong password typically:
- Is 12+ characters long – the longer, the better.
- Includes a mix of uppercase and lowercase letters, numbers, and special characters (@, #, $, etc.)
- Does not include easily guessable words or phrases (password, p@ssw0rd, 1234, qwerty, etc.)
By forcing your users to use strong passwords, you drastically reduce the risk of bad actors brute forcing them.
MelaPress Login Security will allow you to set up minimum password requirements and enforce the use of strong passwords. You can also encourage or require users to update their passwords regularly.
Add two-factor authentication
Adding two-factor authentication, or 2FA, to WordPress is one of the most effective measures you can take to prevent successful brute force attacks.
2FA adds an extra layer of security by requiring users to provide two forms of authentication before gaining access to their accounts. The first factor is their account password, which remains the same. However, a second factor is added, meaning that just cracking a password isn’t enough for a bad actor to gain access to an account.
This second factor is usually a temporary code in an authenticator app, like Google Authenticator, or even a code sent to their email or via text. Only by entering the correct code can the account be accessed.
It’s surprisingly easy to implement 2FA on your WordPress site using our WP 2FA plugin. It allows you to choose multiple 2FA methods and can be set up in a matter of minutes!
Image of the free version of WP 2FA on wordpress.org
Geoblock certain regions
Geoblocking can be an effective way to prevent brute force attacks, especially if you notice that the attacks are coming from particular regions. It allows you to prevent login attempts from countries where people shouldn’t be logging in from.
For example, if your administrators, developers, and users are all in the US, there shouldn’t be any login attempts from Europe or Asia. By setting up geoblocking to prevent login attempts from these regions, you can prevent people or bots from trying to log in from IP addresses in these regions.
Keep in mind that this works by detecting the IP address of incoming traffic. It’s not foolproof because IP addresses can be spoofed, and VPNs can be used to obscure the country of origin. Nevertheless, it can block a portion of the malicious traffic you get from these regions.
According to one study by CyberProof, the top countries of origin for cyberattacks in 2021 were China, the US, Brazil, India, and Germany. Another study pointed out China, the US, India, South Korea, and Brazil as the top five.
This is usually not because the attacks actually originate in these countries, but due to a high amount of compromised devices, like computers and IoT devices, used to launch them. By blocking these locations, it prevents those devices from performing login attempts, making it harder to carry out a brute force attack at scale.
IP blacklisting and whitelisting
Every computer that accesses your website has its own identifier, an IP address. Through blacklisting and whitelisting, you can prevent certain IPs from accessing your login page (or your entire WordPress website), or prevent all but specific whitelisted IPs from logging in.
There are two ways to go about this. The first approach is to blacklist known malicious IPs. There are IP address block lists out there, and some come bundled with security plugins. This can help prevent some malicious login attempts. However, it doesn’t cover all of the potential IP addresses bad actors might use. This limits its effectiveness to some extent.
The second approach, safer but more restrictive, involves blocking all IPs and only allowing trusted ones to log in. This is called whitelisting. If you have a WordPress site that allows any user to make an account, this won’t work. And the more trusted users and editors you have, the harder this is to implement since you’d need to whitelist every single IP address they use. That being said, it is very secure if implemented properly, given users will only be able to log in from their own individual IP.
Whitelisting IP addresses will only work if users log in from a static IP address. If they use a dynamic IP, mobile proxy, or similar, this won’t work since their IP address can change far too often.
Set up user roles and policies
When creating WordPress user roles and assigning permissions, you should follow the “principle of least privilege” – each person should only have access to what they need to do their job.
For example, rather than assigning the Editor role to one of your new content writers, which would give them the ability to delete and edit any post on the WordPress site, consider instead assigning the Author role, which would only let them manage their own posts.
This way, if a brute force attack does succeed on this account, they won’t get access to any extra permissions that they otherwise wouldn’t. The fewer users with administrative or editing access, the fewer targets that could be exploited, and the less damage a compromised account may do.
Besides setting WordPress’ predefined user roles, you can also create custom roles and permissions using a plugin. Just make sure to thoroughly test any roles you create and ensure that your employees can do their job properly.
Use a WAF to block bad bots
A Web Application Firewall, or WAF, is one of the most effective ways to shut down threats – not just brute force attacks, but other kinds of malware and exploits that bad actors may bring to your website.
A WAF sits between your website and incoming traffic, filtering and monitoring HTTP requests to detect and block malicious traffic before it reaches your server. Besides blocking lists of known malicious IPs, many WAFs utilize advanced algorithms and AI to detect malicious activity and shut it down in real-time.
WAFs are available through security plugins as well as via CDNs such as Cloudflare.
How to stop brute force attacks with Melapress Login Security
Many of the solutions above simply can’t be done in a default installation of WordPress. Others can be, but require modifying server files and may be difficult to do. The easiest way to implement many of these controls is to use a WordPress security plugin.
For this guide, we’ll be using the premium version of our very own Melapress Login Security plugin along with some other plugins we offer, for things like 2FA. These powerful plugins can do everything listed above and more, so they’re the perfect candidates.
Step 1. Install Melapress Login Security
First up, you’ll need to install Melapress Login Security. If you want to try out the plugin first, a free version is available to try. You can install this through Plugins > Add New from your WordPress admin dashboard.
However, we’ll be using the premium version for this blog post. After purchasing the premium version of Melapress Login Security, you can install and activate it by logging into your account, downloading the premium plugin, and uploading it through the Upload Plugin button on Plugins > Add New.
Step 2. Set up login security policies
With the plugin installed, you should see a new Login Security section in your admin dashboard. Click it to be taken to Login Security > Login Security Policies. Click the checkmark beside Enable login security policies to get started.
More settings should appear now. This is where you can activate the login policies, Here’s an overview of what you can do.
In the Password policies heading, you can enforce strong passwords and prevent users from creating easily guessable ones. You can also:
- Set a minimum character limit,
- Enable password expiry
- Prevent password reuse.
- Reset password on first login
- Disable sending of password reset links
Limit login attempts
Limiting login attempts takes away the very thing brute force attacks depend on to break through the WordPress login. By activating this policy, Melpress Login Security automatically blocks users after multiple failed login attempts. You can configure the time period after which they can attempt to log in again, and even prevent them from attempting more logins until an admin manually unblocks them.
The plugin includes many other policies not covered above that help you prevent brute-force attacks on your website. These include:
- Disable inactive users
- Enable session policies
- Add security questions
- Restrict user login times
- Limit IP addresses users can log in from
And much more. Since policies work independently of each other, you can pick and choose the ones you want, ensuring you can strike a balance between security and ease of access for your users.
Don’t forget to click Save Changes when you’re finished.
Not all roles are made equal, and you may wish to set up more restrictive policies for administrators compared to those with fewer permissions. Look for the Role-based policies tab at the top and hover it to select the role you want to set up special settings for.
Then untick the Inherit login security policies checkbox and set up your custom settings list. Or select Do not enforce password & login policies for this role to exempt this role from these policies.
Step 3. Harden the login page
Next, let’s add some additional hardening to your login page by changing its URL, restricting access by IP, and setting up geoblocking. All of these can be activated from the Login Security > Login page hardening screen.
Changing the login URL is simple; just enter the new login location in the Login page URL box. You can also set up a redirect in the Old login page URL redirect box, so users don’t land on a 404 page.
On the other hand, to limit access to the login page by IP address, all you need to do is add the IPs to the allowlist. You can redirect users from restricted IP addresses to any page of your choosing. You can also set a bypass as a fallback setting should your IP address change.
As for geoblocking, this is handled by IPLocate.io, so you’ll need to go there and get an API key. If you handle 1000 requests or less per day for your website, this service is entirely free to use.
Once you’ve signed up and entered your API key in Login Security > Settings > Integrations, you can go back to Login Security > Login page hardening and set up geoblocking. You can either block certain regions or only allow IPs from them.
Step 4. Set up two-factor authentication
2FA is a great way to block out unwanted bots, and we can use another one of our plugins for this: WordPress 2FA. This also has a free version you can try, but we’ll be showing off the premium version below.
You can install and activate WordPress 2FA the same way as Melapress Login Security: either purchase the premium version and upload the zip file you receive through Plugins > Add New, or search for the free version on the same page.
After installing it, head over to the new navigation section: The plugin comes with a setup wizard, which walks you through the basic configuration of the plugin. Alternatively, head over to WP 2FA > 2FA Policies. The first thing you should do is switch Enforce 2FA on to All users or specific users and roles. You can also exclude certain roles/users instead.
You can then scroll down to the 2FA policies, which will allow you to set up the two-factor authentication service you want to use. Available options include 2FA apps, push notifications, YubiKey integrations, and many others. Here, you can also configure any of the other settings the plugin offers, including the setup grace period, trusted devices, and many others. Some supported 2FA authenticator apps include Google Authenticator, Microsoft Authenticator, Authy, Twilio, and Lastpass.
Step 5. Add CAPTCHA to forms
Another way to stop automated brute force attacks perpetrated by bots is with a CAPTCHA prompt. These may appear for all users or in response to suspicious traffic, after which the user is prompted to solve a puzzle or click a button. Unusual behavior, like clicking the button instantly or failing to solve the puzzle, prevents the form from submitting.
Bots have become very sophisticated, and some can solve or bypass CAPTCHA forms, but many will get stuck and be forced to move on.
CAPTCHA 4WP is another WordPress security plugin by Melapress, and it can add CAPTCHA prompts not just to your typical forms but also to login pages.
After you install and activate the premium or free CAPTCHA 4WP plugin, navigate to CAPTCHA 4WP > CAPTCHA Configuration. Click the blue Configure CAPTCHA integration button to get started.
You’ll be prompted to choose from several different types of CAPTCHA, including the “I’m not a robot” checkbox or a type that only triggers on suspected spam traffic. You’ll also need to enter your CAPTCHA key for the service you choose, which is free.
After everything is set up, you can then adjust your CAPTCHA settings, like determining how strict the CAPTCHA score is or on what pages CAPTCHA scripts are loaded.
Next, you should visit CAPTCHA 4WP > Form Placements. Make sure at least the login form is checked. You may also wish to enable it for other WordPress pages, WooCommerce login pages, or other form plugins.
Finally, CAPTCHA 4WP > Settings may have a few options you’ll want to enable, like only showing a CAPTCHA after a certain number of unsuccessful login attempts.
Step 6. Install a WordPress Activity Log
Finally, you can help detect brute force attacks by installing an activity log and keeping a close eye out for suspicious behavior. Without an activity log plugin like WP Activity Log, you’re entirely unable to monitor incoming traffic and what users on your site are doing.
After installing WP Activity Log, you can check out the log viewer for an overview of new activity, which you can sort by user and IP to narrow down potential threats.
You can also set up custom notifications so you can receive email or SMS alerts whenever anything alarming happens – alongside generating detailed reports of everything that’s been going on with your website.
Stop brute force attacks before they happen
Automated brute force attacks are unfortunately common in WordPress, and you will likely end up getting hit by these attacks yourself if you haven’t already. Proactive measures in WordPress brute force login protection will prevent these bad bots from breaking into your website, stealing your credentials, and defacing your work.
Since WordPress doesn’t have much in the way of brute force protection built in, you’ll likely need a plugin to handle this, and Melapress Login Security is the tool for the job. Almost everything you need to stop brute force attacks is built into the plugin.