As you pretty aware about the WordPress wp-admin.php past few years attacks on WordPress increases day by day. An attacker can easily attack the sites like WordPress, Joomla site, and other CMS and Globally. A common attack done on WordPress or Joomla is nothing but Brute force attack. Generally, the users set a short password without mixed combinations. So, higher possibility of brute force attacks on the WordPress.

At this position, we highly recommended you get logged into WordPress and change the password with a mixed combination of uppercase, lowercase letters, numbers, special characters like (~%#[@&!{|*). So, that you have a safe corner from the attacker.

5 Simple steps to secure WordPress from brute force

These are some important factors which can protect your WordPress from brute force attack or from hackers. To follow this simple terms to secure your WordPress from brute force attack.

*1* Make WordPress Secure with Strong Password:

While setting WordPress password please set password length should at least 8 characters. Choose multiple combinations of Special characters, lower case letters, upper case letters, alphanumeric characters, and numbers.

Secure Your WordPress Update Regularly

At the time of password set do not use name, cell phone number or any personal names. Always choose random alphabet, random number, random symbols and random upper and lower case.

For example:

  1. You can set strong password like q^o0h~xE3I?@4y{U
  2. You can also set password like e5QEm-bylS8f@

To create a strong password you simply use online Password Generator. This is largely used for creating strong passwords easily.

*2* Choose a unique or antique WordPress admin username:

While installing WordPress by default the username is an admin. But to avoid an attack on WordPress, you must need to set a unique or antique username.

Usually, the botnet attack easily targets to such type of admin username. Most of the time users set usernames like“admin112” or “Alice213” etc. From this attacker can easily get the username and he will start brute force on this type of admin username.

So we advise you don’t set your username as “admin” with WordPress.

*3* Keep updating your WordPress:

If you are getting late to update your WordPress site, then firstly you lose your WordPress security. And with this, you will give a big chance to Attackers.

update wordpress secure steps tips

If you update your WordPress site with time, then you are at the safe side. With on time update of WordPress, you will receive the new plugins, extra features, new themes and much more. The current version of WordPress available is 4.7and plugin 1.5.2.

So, always keep your WordPress updated in Time.

We forcefully recommend an updated plugin for WordPress is UpdraftPlus WordPress Backup Plugin.

*4* Change the Location of the WordPress Login Page

We would like to ask you something: how strenuous, is it for someone to find your login page?

Whenever you use the default login extension – – you make it far easier for the machine bot to identify the desired WordPress login page they want to attack.

Without access to your desired WordPress login page, brute force attacks are very difficult to succeed.

Protect your login page from brute force attacks by changing the location of your WP-ADMIN page to make it more secure URL. You can change the location of your admin page by using the official Customize WordPress Login Page plugin.

  • Change /wp-login.php?action=register to something unique; e.g. my_new_registeration
  • Change /wp-admin/ to something unique; e.g. my_new_admin
  • Change wp-login.php to something unique; e.g. my_new_login

*5* Take Daily Backup of Your WordPress website and other CMS site:

how to take WordPress Backups security

By taking daily backup of your WordPress Website, your data will be safe for further process. Sometimes, accidentally data may crash or corrupted due to virus attack. In that case, the wise solution is not available and responsible for any kind of data loss. And you are unable to recover it as previous. If you get daily backup then you can recover your data easily.

If you are unfamiliar about how to take backup of your wordpress then you can follow our video guide to know how to take full backup of your wordpress site.

For Daily Backup our Recommendations are UpdraftPlus WordPress Backup Plugin.

*6* Brute Force Log-in Protection – Limit Login Attempts

If a machine bot had only two or three attempts on your login credentials, how likely is it to succeed?

This is a highly recommended WordPress plugin. A Brute Force Attack targets to simplest kind of method to gain access a site. It tries usernames and passwords with all possible combinations over and over again until it gets a login. It is a lightweight plugin that protects your WordPress site against brute force login attacks using .htaccess.

wordpress brute force attacks protection

Just efforts on the basis of there being 27 letters and 10 numbers (37 characters), there are 2.9 trillion potential possible combinations in 9 to the 10-character password.

Include an additional 27 uppercase characters (64 characters total) and there are 238 trillion 9-character possible combinations. And that’s before we even consider the likelihood of acquiring your username right, too.


Click here to get Brute Force Log-in Protection

You can restrict the number of login attempts from a single machine bot/system IP address. With the help of WP plugin, you can restrict a number login attempts; bots will need more number of luck to identify your login credentials correctly.

*7* Some General WordPress Security Recommendations

#1. Passive terms or Vulnerability on your System

Make sure that your systems you use are free from virus, worms, malware and spyware infections. Not a single security in WordPress or on your web server will create the slightest difference if you are using a key logger on your systems.

Every time keep your operating system and the required software on it. One of the important fact, keep your browser updated on up to date to protect against the security vulnerability.  Sometimes you are forcefully accessing the untrusted sites, so we recommend using a tool like No-Script or simply disable (JavaScript/java/flash) in your browser.


#2. BruteProtect

BruteProtect is also WordPress plugin to protect against Brute Force Attack. It is not as much as actively supported. All possible latest development is now being done on the Protect feature of WordPress in Jetpack. In past BruteProtect was a part of Automatic family, and the BruteProtect has been integrated into Jetpack. Please update to Jetpack to continue with using BruteProtect.

Click here and to get the BruteProtect to protect your wordpress from hackers. 

We forcefully recommend you to install all plugins in the article to your WordPress.

We are always trying our best to support our client to create secured environment. Please let us know if you have any queries and need support. You can contact our support Team.

The Final Conclusionary Thought

Brute force attacks are a very harmful security threat to WordPress users.

Opportunely, just a few easy steps can protect a WordPress website from the large possible majority of brute force attacks. The tips outlined above are all free to implement, and should take not more than a few minutes each – and there is no excuse in that!

You can also avoid email spamming by following  our most important article.