Build a small business empire you can be proud of

Welcome to Microblogger! First time here?
I know there's a lot going on, click here to Get Started.

1 Comment

How to Defend Against Brute Force WordPress Login Attacks

What is your administrative username for your blog?

If it’s admin, you need to change it.

If you don’t know, go to your site’s wp-admin, click on Users and then Your Profile. Your Username is under Name.

For about three weeks in August, Microblogger was getting pounded by brute force login attempts on the username ADMIN and I was being notified by a plugin every single time a login failed.

It was getting annoying.

If you don’t have a plugin installed that notifies you, you’re probably under attack too but you just don’t know it. Bots are trying to break into your site.

I recently installed the Sucuri Security WordPress plugin because I wanted to do a quick scan of the blog for vulnerabilityes. I usually turn off a plugin after it has done its primary job but I left this one on by accident and it’s been reporting these frequent brute force attempts.

One of the reporting functions of the Sucuri plugin is a failed login attempt. And I was getting a lot of these notifications.

I changed my username to something different long ago so the admin user doesn’t even exist. This is one of the suggestions WordPress gives to preventing a brute force attempt from succeeding. It won’t, however, stop brute force attacks from happening in the first place.

In this article, I’ll explain what you can do to reduce brute force attacks as well as limit their effectiveness.

How to Stop/Limit Brute Force Attacks

The best way is to use a service like Cloudflare as a firewall to prevent attacks from known IP addresses. Savvy attackers are cycling through IPs and likely using a botnet of some kind, so there isn’t anything you can do short of deflecting the attacks with a firewall.

CloudFlare is free so I recommend signing up for it. Once you have it set up, you’ll want to go to the CloudFlare settings and set your Security profile to High. If you are under attack, the High setting will cut the number of attempts by 95%. I had it on Medium and was getting bombarded. They offer Advanced DDoS protection but only for Business and Enterprise customers, which I am not. That might be a good option if you’re getting more than a few nefarious log ins.

How to Limit Attack Effectiveness

First, make sure you aren’t using “admin” as your username. If you need to change it, WordPress recommends using Admin renamer extended to change your username.

Next, slow down brute force attacks by installing Limit Login Attempts (don’t be scared by the warning that it hasn’t been updated in 2 years, it works great) and turn it on. This will prevent logins by IP for a period of time. Once a specified number of attempts (and failures) has been reached, the plugin will prevent further attempts for a cool-off period. It will slow down brute force attackers considerably and really the only thing you can do to slow them down.

Here are some of the defense recommendations by WordPress but most of them will not prevent the attacker from accessing your site in the first place, which might be leading to higher hosting bills.

Good luck!

Sharing is caring! Tweet about this on TwitterShare on Facebook0Share on Google+0Buffer this pageShare on LinkedIn0Share on StumbleUpon0Email this to someone
The following two tabs change content below.


In 2005, I founded a personal finance blog ( that became successful enough that I quit my career as a software developer in the defense industry. It is my goal to share everything I learned so that you can do the same - build an online business that let's you pursue your passion.

One response to “How to Defend Against Brute Force WordPress Login Attacks”

  1. John Wedding says:

    This happened to me a few months ago. Not fun at all.

    My hosting company assisted me in password-protecting wp-login.php for a bit to stop the attack.

Leave a Reply

Your email address will not be published. Required fields are marked *