Protecting Your WordPress Site From Brute Force Attacks

wordpress brute force attack protection

Brute force attacks – the type of attack where hackers cycle through letters and numbers in an attempt to crack passwords – are rife online. In the last fortnight the target of these attacks have been the owners of WordPress blogs and websites.

A botnet made up of tens of thousands of computers, many of which were merely home PCs, hit WordPress users in what is thought by experts to be part of a much larger attack. However the attacker’s identity is as of yet unknown.

Botnet attacks have been successful against WordPress users for several reasons. Firstly, the WordPress platform itself offers unlimited login attempts, meaning hackers can continue a brute force attack until either they are detected or they gain access. While there is nothing the average WordPress user can do about this set-up, it is worth being aware of and there are simple tactics every user can employ in order to make websites and blogs on this platform substantially more secure against it.

Update your username

Hands up if your WordPress username is still the automatic “admin” you were granted when you first set up your account. The recent botnet has used the “admin” username to gain access to countless WordPress blogs and websites, as it means only the password portion of the login details has to be guessed in order to get in. The solution? It’s simple… change your username. Something unique to you will help protect the precious content you’ve worked hard to build. Don’t make it easy for the bad guys to gain access.

While you’re making the effort to change your username, try to make it a little more complex and a little less obvious to ensure unwanted visitors find trespassing even more difficult. Place the following usernames on your vetoed list too:


First names – ie “Paul”

First names and surnames – ie “PaulSmith”

Place the emphasis on passwords

You’ve probably already been subject to the lectures on password complexity but a good strong one really can protect your content management system from unwanted visitors. WordPress’ founder suggests that using a strong password and changing your username can put you in front of 99% of the the websites out there, saying you’ll “probably never have a problem.”

Brute force attacks can take place over hours, days or weeks – but the more obvious your password, the quicker it is for hackers to gain access. Following these rules should ensure your security:

  • Don’t use real words or names to make up your password
  • Make it 8 characters or more
  • Use letters (both upper and lowercase), as well as numbers and symbols

2 Responses to “Protecting Your WordPress Site From Brute Force Attacks”

  1. Hardwood Garden benches

    Nice little article and some interesting points raised. Whilst by default wordpress is very secure, obviously extra emphasis on the usernames and passwords is great practice. You can also use IP deny in htaccess on the wp-admin folder to only allow a few IP addresses of your choosing to be able to access it. A much more secure way of stopping brute force attacks.

  2. James Robert

    I have been very concerned about any kind of hacker attempts on my company’s website as well as my clients’. I recently purchased Backup Buddy from Ithemes, which backs up my WP websites. In the case I need help due to hackers, I can simply use that backup plugin to restore my website.


Leave a Reply