How to Defend Against a WordPress Brute Force Attack

There are a lot of unscrupulous individuals out there that have been breaking into people’s WordPress websites and causing havoc on servers in general.

One of the ways these individuals are doing this is by using what’s called a WordPress brute force attack.

A WordPress brute force attack is when a hacker, or rather slime of the earth hacker, sick a bot (hacker program) on your WordPress login area to gain access to your administrative panel.

This bot tries to guess your username and password by using processing power to enter as many combinations as possible until it guesses correctly, hence the name WordPress brute force attack.

A WordPress brute force attack is scary and awful for two reasons: Click To Tweet

#1. The obvious concern is that someone could gain access to your website backend and potentially destroy your website, steal sensitive user information, and even install hidden malware in the background of your website that loads viruses on your site visitor’s system. Eek!!! 😯

#2. The less obvious concern is the effect on your server. Distributed denial of service attacks or DDoS attacks are caused in a variety of ways. One of those ways is with a WordPress brute force attack.

The program that the hacker uses to implement the attack makes thousands of requests to your server and essentially cripples it in the process. Because the server is so busy with the hacker’s program requests it slows down to a crawl so regular users can’t access it.

This has caused a major problem for many hosting companies and website owners alike. The problem is that many hosts choose the wrong solution to this problem and make matters worse.

Now that we know what a WordPress brute force attack is let’s go over how to properly defend against it.

There are some traditional methods that some inexperienced web hosts implement to prevent these attacks. One of those methods was implemented by my former web host (I won’t mention any names) 😠.

They added a CAPTCHA to all of the WordPress .htaccess files on my server (without notifying me I might add). It caused all kinds of issues with other WordPress plugins and quite frankly is just an ugly hack.

We are going to take a look at the proper way to defend against a WordPress brute force attack with a well thought out and properly programmed WordPress plugin.


The BruteProtect plugin is what I used to recommend to defend against DNS attacks but since Automatic took over the plugin and integrated into Jetpack that’s no longer an option. You have to install Jetpack in order to use this feature and I am not a fan of that particular plugin.

Plan B

Step 1: CloudFlare

Now that the BruteProtect plugin is not an option I have moved all websites under my control to CloudFlare. CloudFlare is free CDN (Cached Delivery Network) and also has a lot of features to mitigate attempts to hack your website. They have free and paid service plans but the free plan is good enough for my purposes.

You can find out more about CloudFlare at

Step 2: Google ReCaptcha

Now that you are setup on CloudFlare you’re going to want to setup the Google reCAPTCHA service on your administrative login page. My favorite WordPress plugin for this service is: Google Captcha (reCAPTCHA) by BestWebSoft. You can download that plugin here.

reCAPTCHA won’t complete mitigate DNS Attacks but is another piece of the puzzle in a system to stop hackers from attacking your website.

Step 3: WordFence Plugin

The WordFence plugin is a Firewall & Malware Scanner. It has a lot of the same features that BruteProtect had plus a bunch more. It’s my go to plugin when I know a website is having a problem with hackers.

You can check out WordFence at or at their website at

I hope this helps you lock down your website and stop those annoying hackers from doing what they do.

Please feel free to comment or ask any questions you may have.

Thank you for reading.

Shawn Hayes
Share Web Design

Leave a Reply

Your email address will not be published. Required fields are marked *

Featured Posts