ZeroToWP

Brute Force Attack

Quick Definition

A brute force attack is when hackers use automated bots to try thousands of username and password combinations on your WordPress login page until they guess the right one. WordPress allows unlimited login attempts by default, making it vulnerable.

WordPress Developer documentation on brute force attacks — the official guide on protecting your WordPress login

What Is a Brute Force Attack?

A brute force attack is the simplest and most common type of hack: an automated bot tries username and password combinations on your WordPress login page (/wp-login.php) until it finds one that works. These bots can attempt thousands of combinations per minute, cycling through common passwords, dictionary words, and leaked credential databases.

By default, WordPress allows unlimited login attempts with no lockout. That means a bot can try "admin/password123", "admin/123456", "admin/wordpress" thousands of times without being stopped. This is the single biggest security weakness in a default WordPress installation.

Why WordPress Is a Target

  • Predictable login URL — Every WordPress site uses /wp-login.php or /wp-admin/ unless you change it
  • Common username — Many sites still use "admin" as the administrator username
  • No rate limiting by default — WordPress does not block or throttle repeated failed login attempts
  • Massive target base — 40%+ of all websites run WordPress, making it the most profitable platform for automated attacks

How to Protect Your WordPress Login

Layer these protections — no single method is enough on its own:

  • Limit login attempts — Install Limit Login Attempts Reloaded or Wordfence to automatically block IP addresses after a set number of failed attempts. This is the most important single protection.
  • Strong passwords — Use a password manager to generate unique, complex passwords. Never reuse passwords from other sites.
  • Two-factor authentication (2FA) — Requires a second verification (phone code, authenticator app) even if the password is guessed. Plugins like WP 2FA or Wordfence add this.
  • Change the login URLPlugins like WPS Hide Login change /wp-login.php to a custom URL (e.g., /my-secret-login). Bots that only target the default URL will get a 404.
  • CAPTCHA on login — Add Google reCAPTCHA or Cloudflare Turnstile to your login form. Blocks most automated bots.
  • Web application firewall (WAF) — Cloudflare, Sucuri, or Wordfence can block brute force attempts at the network level before they even reach WordPress.
  • Disable XML-RPC — The xmlrpc.php file is an alternative entry point for brute force attacks. If you do not use mobile apps or Jetpack, disable it.

Signs You Are Under Attack

  • Slow site performance (server overloaded by login requests)
  • Unknown IP addresses in your access logs hitting wp-login.php repeatedly
  • Security plugin alerts about blocked login attempts
  • Hosting provider emails about unusual server resource usage

Why It Matters

A successful brute force attack gives an attacker full admin access to your WordPress site. From there, they can inject malware, steal data, deface your content, or use your server to send spam. Even unsuccessful attacks waste server resources and can slow your site for legitimate visitors. Adding login protection takes 5 minutes and blocks 99% of brute force attempts.

Sources: Developer.WordPress.org, Wordfence, MalCare

Related Terms

FirewallA firewall monitors and filters incoming traffic to your WordPress site, blocking malicious requests like hacking attempts and brute force attacks before they reach your server.MalwareMalware (malicious software) is code designed to damage, steal data from, or gain unauthorized access to your WordPress site. Common types include backdoors, spam injections, redirect hacks, and cryptominers.SSLSSL (Secure Sockets Layer) is the technology that encrypts the connection between your website and its visitors. Today it technically runs on TLS, but everyone still calls the certificate an "SSL certificate."

Related Articles

WordPress Login Security — How to Stop Brute Force AttacksYour WordPress login page gets attacked dozens of times every day, whether you know it or not. I've been hardening login pages for over a decade, and these 8 measures will shut down brute force attacks completely.How to Remove Malware from WordPress (Emergency Step-by-Step Guide)Your WordPress site got hacked — don't panic. I've cleaned malware from more sites than I can count over the past 20 years, and most infections can be fixed in an afternoon. Here's exactly what to do, step by step.WordPress Security Guide: 12 Steps to Protect Your SiteWordPress doesn't get hacked because it's insecure — it gets hacked because people skip basic precautions. Here are the 12 security steps I follow on every site I build, ranked by importance.
← Back to WordPress Glossary