8 Tips to Protect Your WordPress from Brute Force Attacks

Protect WordPress

You work so hard to have the perfect website, and let’s face it–in a digital world, you absolutely have to. After all of the efforts to create, continuously update, and maintain your website, the last thing you want to happen is to be notified that your website has been exposed or compromised by a brute force attack.

Brute force attacks to your website not only expose it to cyber-attacks and viruses, but also render it completely inaccessible to the public and your internal administrator as well.

The lowdown on brute force attacks

 Brute force attack consists of an attacker trying many usernames and passwords or passphrases with the hope of eventually guessing correctly to gain access to your website. This is essentially a digital break-in. There have been plenty of brute force attacks in 2018; perhaps the most notable one is the brute force attack on the City of Atlanta.

Brute force attacks to your website can be detrimental, especially if a virus is planted or personal information is hacked. Hackers or hacking programs use brute force attacks to access encrypted data and/or sensitive information such as passwords, social security numbers, credit card numbers or anything else that should be kept safe digitally.

If a brute force attack is successful, your back-end system can be compromised, exposing important data and slowing or even shutting down the front end of your site, making it frustrating for those that use your site and/or network. A good example of this is back in 2016 when Sony PlayStation accounts were compromised by brute force attacks. More recently, however, WordPress sites have been increasingly targeted by brute force attacks, so it is crucial for you to read the following advice in order to ensure your site is safe from brute force attacks.

1) Stay Up-to-Date with WordPress Updates

In the Internet age, software updates are more than just adding new features, but often they include security fixes. Running an older version of WordPress, can expose your site to brute force attacks. WordPress consistently updates cornerstone and popular plugins so as to fix security vulnerabilities. Rather than ignore the update notifications, it would be wise to update your plugins as soon as possible.

Here’s how to make sure your WordPress is up-to-date: go to the Updates page within your dashboard admin and check to see if updates are available. Any critical updates for your site, plugins, and even the theme you chose for your layout would show in this section.

2) Use Long and Complex Password

A chain is as only as strong as its weakest link. Passwords are no different. Understanding the basics of creating a strong password will go a long way in the first line against brute force attacks. Without unique passwords for all your log-ins, you could be at serious risk for a brute force attack. General rule of thumb is to create a password at least 12 characters long using a combination of letters, numbers and special characters, such as the pound sign, numbers, or exclamation points. This creates passwords that are difficult to replicate or guess. Apply this to not just your WordPress log in but for your database, web hosting control and FTP. Worried about remembering all these unique passwords? There are two options: 1) write them down on a piece of paper and have that accessible, but securely stored, 2) use an encrypted app specifically designed to manage all your passwords.

Lastly, it’s a good idea to change your passwords ever so often, so make sure you use this best practice to ensure your system is safe from brute force attacks.

WordPress Login

3) Enable Two-Factor Authentication (2FA)

Have you ever had to use Google Authentication, or received a code via text message or email in order to log into a site or an application? This is an example of two-factor authentication. Some of the most sensitive sites that you use on a daily basis like, banking, credit card companies, etc. use two-factor authentications.

Essentially, your log in is divided into two different components all determined by the admin of the website. The two different components can be a combination of username/password and a secret question, or a code that would be obtainable by having a Google Authenticator, which then sends a code to your cellphone. Regardless of which components you choose, using a 2FA will greatly increase your site’s security. In the event that a hacker somehow gets your password, this two-factor authentication would block them, as they likely would not also have your cellphone or know the answers to secret questions in order to successfully log in.

4) Use a Firewall

Brute force attack attempts toward your site can bog down your servers and therefore significantly slow down or even crash your site. This is why it is critical to stop hackers before they can even reach your server. Installing a firewall is the best way to do this as it serves as a filter, blocking bad traffic and attempts from actually accessing your site and/or encrypted information.

The first, and better type of firewall you should install is called a DNS Level Website Firewall. This firewall works by routing incoming traffic through their cloud proxy server first, filtering out the unwanted traffic and only allowing for authentic and actual traffic to your main server. Not only does this prevent brute force attacks, but also it has the added benefit of increased speed and performance for your website.

The second type of firewall you can also install is an Application Level Firewall. This type of firewall will analyze traffic as it comes in to your server but prior to the majority of WordPress scripts loading. The DNS Level Website Firewall is definitely a more efficient method as it prevents a server slowdown.

5) Delete unneeded user accounts

You may find yourself running multiple blogs with multiple-authors contributing to your blog. If this applies to you, it would be wise to head caution when adding new users to your blog. Typically, the more people that have access to your administration panel, the more likely a brute force attack could be successful.

To ensure that adding more users accounts to your admin panel does not compromise your security try using security plugins like Force Strong Password. This ensures that any user accounts that have access to your admin panel have strong passwords with multiple characters, numbers and letters.

6) Backup your WordPress site regularly

You back up your home computer; why not also back up your WordPress site? When it comes to brute force attacks, which have the ability to do anything from, delete all your content to stealing encrypted data, a backup is a lifesaver.

There are plenty of backup plugins available for WordPress site. Regardless of what plugin you choose, having your backup stored off-site is akin to having multiple copies of important documents in different locations. If one is compromised, there is always another secure copy elsewhere.

7) Use Secure Socket Layer (SSL) to encrypt data

Obtaining a SSL certificate is a rather simple process that will go a long way in providing security to your site, not just for you, the admin but also for any user that accesses your site. Essentially, an SSL certificate will ensure that data sent between the site and the user will be encrypted, making it difficult for hackers using Man-in-the-Middle techniques to gain sensitive information or spoof users to obtain their data that way.

It is also worth mentioning that Google tends to rank sites with SSL certification higher than those that do not have SSL certification. So, by getting your site an SSL certificate, you not only increase your security but also your ranking! Who doesn’t love a two-for-one?!

8) Block hotlinks

Everyone loves to use pictures on their WordPress, it enhances the aesthetics of your posts and in some instances a picture serves as the veritable centerpiece of an article or design concept.

One of the issues that can occur by using a picture is that you are using the picture’s URL to place it in your site. That means that the picture itself is hosted off-site and therefore you do not control the picture, and so your site could be compromised if that site becomes compromised by brute force attacks. Also, since you do not control the image, it’s important to understand that it could change without your notice.

The best route for blocking hotlinks is to get a plugin to do the work for you, though it is possible to do it yourself.


Hopefully you will head these tips as they’re designed to help you protect your website from brute force attacks. By arming yourself now, you can prevent unthinkable problems in the future as once your system is compromised; there is no telling what could happen. In the end, perhaps the best piece of advice is that of the Boy Scouts “semper paratus,” or “always be prepared.” Or, in other words it is better to be proactive than reactive.


Get started with Premium WordPress hosting for your Business today

Leave a Reply

Your email address will not be published. Required fields are marked *