A Brute Force Attack is the simplest yet most effective method hackers use to break into WordPress websites.
The concept is straightforward: an automated script (bot) attempts to log in to your site by guessing thousands of username and password combinations every minute.
Because WordPress is the most popular CMS in the world, its default login structure is well-known. Hackers know exactly where your door is (/wp-login.php) and often know the default username (admin).
If you don’t have specific protections in place, it’s not a matter of if you will be attacked, but when.
In this guide, we will cover 6 essential layers of defense to make your WordPress login form virtually impenetrable.
1. Eliminate the “Admin” Username
The first half of a successful login is the username. If you use admin, administrator, or your domain name as a username, you have done 50% of the hacker’s job for them.
The Fix:
- Create a new user with Administrator privileges and a unique, hard-to-guess username (e.g.,
ted_editor_88). - Log out and log in with the new account.
- Delete the old
adminaccount and assign its posts to the new user.
FunSentry Check:
When you run a scan with FunSentry, we check for “User Enumeration” vulnerabilities. We simulate a hacker trying to discover your valid usernames. If your site reveals your real admin username, we flag it immediately.
2. Limit Login Attempts
By default, WordPress allows users to try logging in an infinite number of times. This is the design flaw that makes brute force attacks possible.
The Fix:
You must install a mechanism to block an IP address after a certain number of failed attempts (e.g., 3 failures = 20-minute lockout).
Option A: Use a Plugin (Easiest)
Install a lightweight plugin like Limit Login Attempts Reloaded. It’s free and effective.
Option B: Use a Web Application Firewall (WAF)
If you use Cloudflare or a security service, you can set a “Rate Limiting” rule for your login page.
- Rule: If an IP hits
/wp-login.phpmore than 5 times in 1 minute -> Block for 1 hour.
3. Enable Two-Factor Authentication (2FA)
This is the “silver bullet” for login security. Even if a hacker guesses your username and your password, they cannot log in without the temporary code from your phone.
The Fix:
Install a 2FA plugin like WP 2FA or Wordfence Login Security.
- Connect it to an authenticator app (Google Authenticator, Authy, or 1Password).
- Pro Tip: Enforce 2FA for all Administrator and Editor accounts.
4. Disable XML-RPC
Hackers often bypass the main login page entirely and attack via xmlrpc.php. This file allows remote connections to WordPress and has a feature (system.multicall) that lets a hacker test hundreds of passwords in a single HTTP request.
The Fix:
If you don’t use the WordPress mobile app or Jetpack, disable this file.
Add this to your .htaccess file:
Apache
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Or add this to your functions.php:
PHP
add_filter( 'xmlrpc_enabled', '__return_false' );
5. Add Server-Side Password Protection (Basic Auth)
For maximum security, you can add a second password prompt before WordPress even loads. This is called HTTP Basic Authentication.
The Fix:
You can set this up in your hosting control panel (cPanel usually has a “Directory Privacy” option) or manually via .htpasswd.
How it works:
- Visitor goes to
yoursite.com/wp-admin. - Browser shows a native popup asking for a username/password.
- If they fail, the server blocks them. WordPress never even sees the request.
This is incredibly effective because it stops bots from wasting your server resources (CPU/RAM) trying to load the heavy WordPress login page.
6. Hide the Login Page (Security Through Obscurity)
While security experts debate this, changing your login URL from /wp-login.php to something secret like /my-secret-entry/ creates a significant reduction in automated bot traffic.
The Fix:
Use a plugin like WPS Hide Login.
- Change
/wp-login.phpto/private-entry/. - Bots scanning for the default URL will get a 404 Error and move on.
Note: This is not a standalone security measure (a targeted human hacker can find the new URL), but it is excellent for reducing “noise” and server load.
Summary: Your Anti-Brute Force Checklist
| Strategy | Difficulty | Impact |
| Strong Password | Easy | ⭐⭐⭐ (Essential) |
| Limit Login Attempts | Easy | ⭐⭐⭐⭐ (Stops automated scripts) |
| 2FA (Two-Factor) | Medium | ⭐⭐⭐⭐⭐ (Near-perfect protection) |
| Disable XML-RPC | Easy | ⭐⭐⭐⭐ (Closes a major backdoor) |
| Basic Auth | Hard | ⭐⭐⭐⭐⭐ (Stops bots at the server level) |
| Hide Login URL | Easy | ⭐⭐ (Reduces log noise) |
Brute force attacks are a numbers game. Your goal is to make it mathematically impossible for a bot to guess your credentials, and too resource-intensive for them to keep trying.
Is your login page exposed?
Hackers might already know your username. Run a free security scan at FunSentry to check if your User Enumeration protection is working and if your xmlrpc.php backdoor is wide open. Secure your entry points today.