How to Protect your WordPress from Brute Force Attacks on WP-Admin

How to Protect Your WordPress Site from Brute Force Attacks?

Protect your WordPress login page from brute force attacks. Undoubtedly, one of the most frequently used blogging platforms is WordPress, and according to recent statistics, more than 30% of the top bloggers in the world drive their blogs with the help of WordPress.

Perhaps this is the reason why very often this platform is the object of interest for attack by hackers and daily holes are found in the system.

On the Internet, WordPress is increasingly being referred to as an extremely insecure CMS / Blog system, but I tend to disagree. It is a fact that in the past 10 years, complaints about security holes in WordPress have become very common, but the reason is rather the accessibility to the system itself.

We are used to thinking that Custom solutions are always better and more secure, but the only reason to access platforms with Custom CMS less often is probably the fact that not everyone has access to the source code, which in turn makes it difficult for hackers to find holes in the system.

Protect Your WordPress Site
Protect Your WordPress Site

It is the fact that WordPress is an open-source platform and everyone can see what it is about that takes hackers one step further, allowing them to find holes in the code that they naturally take advantage of. In fact, to be honest, most of the breakthroughs are not the fault of the blog platform itself, but rather the poorly written plugins for protect your WordPress website.

The attack for a month…

Since my job is more or less to review/edit a really large number of WordPress installations every day, I was probably one of the first to feel the attack on the wp-admin folder and its effect.

The attack in question started maybe about a month ago, as a mass phenomenon not only abroad but also in our country. The idea behind it all is to try to get the password to access your blog through a Brute-Force attack, and then maybe take advantage of the benefits that administrator access provides.

Due to the specifics of the Brute-Force attack (trying to guess the admin password on a predefined list of passwords that are used most often), the danger is real only for users who use the standard username – admin, as well as very easy logical passwords.

In general, this reassures many blog owners and therefore very honestly does not protect their access to the admin part of WordPress in any way. The bad thing, in this case, is that through this attack many requests are made in a short time, which in turn generates more CPU time.

It is this generation of additional CPU time that is a problem for other users, who very often host their blogs on shared hosting with a CPU time limit, which in turn leads to a problem with opening the site, as well as letters from your hosting provider with please take action because you are loading their servers.

How to prevent the attack on wp-admin?

The good thing, in this case, is that we can always find a way to defend ourselves.

The options are really many, and if you ask in one of the specialized forums, they will probably recommend one of the many protection plugins, such as Limit Login Attempts.

Personally, however, I am not a fan of such add-ons, because even if you enter a limit on attempts, it is unlikely that this type of attack will be effective. The reason is that very often the checks are done by IP and in a certain number of attempts, this IP is blocked.

This is very nice, but the attack in question uses public proxies, which means that the IPs change almost constantly and even if you ban one, the attack will continue from the second… third .. fourth, etc. In addition, the plugin in question will increase the CPU time, because it also checks constantly, so, in my opinion, the idea is not very good.

This method would probably work for you if it was a single attempt, but not for attacks of this magnitude.

How did I deal with the problem with Protect your WordPress?

I’ve always loved doing things my way, knowing how it works and what it does. Maybe this is the reason why I use additives less and less when creating my new projects.

After facing the problem, I decided to think about how best to deal with and find the right solution, and honestly at this stage, I think my solution is one of the best. I even dare say that it is much easier if you apply it to a larger number of sites.

For this purpose, I decided to use the full functionality of our familiar mod_rewrite module, introducing rules for access to the main login file in the administration of WordPress – wp-login.php.

You must enter the rule in your .htaccess file, which is located in the root folder of your WordPress blog.


<Files wp-login.php>

order deny,allow


allow from X.X.X.X

deny from all


This code will usually work perfectly for you, but there is one small inconvenience – you will be able to log in to the administration of your blog only from the IP you have set access to. Everyone else will return a 403 error page.

Note: In some hosting companies, I noticed that instead of error 403, it returns 302 with a redirect to the home page.

Because in our case many people had to have access to the administration, and quite often the access had to be available from different places in Bulgaria, we solved the problem in a general way, allowing access only to all Bulgarian IP addresses. The solution will work well again because most attacks come from foreign IP addresses.

Protect your WordPress site from hackers

By the way, there is another good way to limit attacks by using the protected folders option. I’m not sure how useful it is, because the real form of access to the blog is through the file wp-login.php,

Which is located in the main part of your site and actually making a request to the folder / wp-admin / through which we are used to entering the panel of your WordPress, then we are redirected to wp-login.php.

So I’m not sure how efficient the protected folder method will be, but you can try and share if it works.

I will not share how the trick works, because I haven’t really tried it, but if you want to know how it works, you can see Pano Kondoyannis’ article on the subject.

More good practices for protecting your WordPress blog

First and foremost, take care of the protection of your blog by taking a few simple security measures:

  • Use always use a username other than admin to access your administrator account;
  • Use relatively long and complex passwords. Passwords like 123456 have long been out of fashion and are broken in seconds;
  • Avoid logging in to your blog from public networks. It is quite possible that this network will eavesdrop and understand your access data not only to the blog 😉 ;
  • It’s a good idea to create another username with copyright, through which to write articles on your blog, and to use administrator access only when needed.

I can give you a lot more advice, but they require a little more in-depth knowledge and that is why I plan to separate them in a separate article at a later stage.

I really hope this article helps many of you and I would be happy if you share it with your friends so that it reaches as many people as possible, which will make it even more useful.

Also, I will be happy for your opinion in the form of a comment to this article, and why not tips with more ideas to Protect your WordPress site blog.

You may also be interested in reading the following articles:

Leave a Reply

Your email address will not be published. Required fields are marked *