How to Protect your WordPress website against Brute Force Attacks

How to Protect your WordPress website against Brute Force Attacks

In this Article I’m going to talk about brute force attack and how to protect your WordPress website from it.

What Is a Brute Force Attack?

brute force attack uses a trial-and-error approach to systematically guess login info, credentials. brute force attacks accounted for five percent of confirmed security breaches. using tools such as Hydra The attacker checks all possible passwords and passphrases until the correct one is found.

Although it’s an old attack strategy, hackers still choose it because it works. Because it can take anywhere from a few seconds to several years to crack a password, depending on its length and complexity.

How to Protect your Website from these Attacks

There are numerous methods that can reduce the severity of Brute Force Attacks.

1. Increase Password Length

There’s a reason why the majority of websites demand that your password be at least 8 characters long. There are obviously more viable combinations with an 8-character lengthy password than there are with one that is only 5 or 6 letters long.

2. Increase Password Complexity

Using a long password isn’t a enough. Even though a password is lengthy, if it is as straightforward as “123password”, hackers are more likely to be able to access the website. Of course, this is a poor example, but the reality remains that there are still people using such simple and obvious passwords.
Website admins must have a strong password that contains three of the four subsets given here and is at least seven characters long.

  • {a..z}
  • {A..Z}
  • {0..9}
  • {!@#$%^&*() +-=[]{}|;:’”,<.>/?∼`}

3. Limit Login Attempts

Limiting a user’s first ability to log in (for example, to two attempts) is another useful tactic. WordPress by default permits an infinite number of login attempts, but you may modify that. There are mainly two methods for doing this.

First, you can use a plugin like Limit Login Attempts Reloaded. Once several login attempts have been made, it updates your WordPress site to prevent either a username or an IP address from trying again (the number of attempted login attempts can be set by you). This makes it highly challenging, if not completely impossible, for hackers to attempt to use a brute force attack to get access to your website.

Second, WordPress allows you to limit login attempts by adding custom code to the function.php file. Some of you might not want to conduct the installation of a third-party plugin.

4. Use OTPs

One-time password (OTP) systems provide a mechanism for logging on to a network or service using a unique password that can only be used once.
OTP Verification Plugin for WordPress verifies Phone/Email of users by sending OTP Verification code after enabling OTP Verification Plugin on WordPress. Using this guide OTP Verification will be enabled for login and registration forms on the WordPress.

5. Secure Login with Two-Factor Authentication SMS (2FA)

WP-SMS plugin offers two-factor authentication SMS (2FA) for consumers to confirm their mobile. Only the WooCommerce checkout form and the WordPress default login form allow you to use it.


For as long as password-based authentication systems are used, brute-force login attempts will be a danger. It’s crucial to adopt a defense-in-depth strategy when defending your own login method from brute-force attacks. Wherever possible, apply security safeguards that don’t significantly affect user experience.

Consider hiring a third party to perform a penetration test if you want to assess the security of your web application, including the posture of your authentication routines. The testing will identify the weak points in your web application’s security and offer suggestions for how to fix them so that future attacks won’t be able to take advantage of them.