Brute Force Attacks are Real and Still Happen

A brute force attack is to try different usernames and passwords repeatedly until they have access, they target the weakest link in any website’s security. As it repeatedly attacks the website, causing a decrease the performance. A large volume of HTTP requests is received. As a result, the server runs out of memory. Brute Force attacks wp-login.php files repeatedly. The attacker stops when it succeeds, or the server crashes.

 Protect wp-login.php File

By default, WordPress provides the username ‘admin’. This by default setting might be helpful for brute force attackers. You can protect the wp-login.php file by blocking people from accessing a file. You may quickly and easily alter the usernames of your WordPress users by using the Change Username plugin.

Listing down the list of plugins that will help to protect the wp-login.php file 

  1. Admin Menu Editor
  2. WPS Hide Login
  3. WP Custom Admin Interface
  4. Change wp-admin login
  5. Loginizer
  6. Hide login page, Hide wp-admin – stop the attack on the login page
  7. Custom Dashboard & Login Page – AGCA

And many more 

Limiting Login Attempts

limiting the  number of login attempts done on the website by using a different plugin 

  1. Limit Login Attempts Reloaded
  2.  SiteGuard WP Plugin
  3. Protection Against DDoS
  4. IP Geo Block
  5. HTTP Auth

And many more 

Good Password

A strong password should be used. Try a different plugin for passwords. Password-protecting your wp-login.php file (and wp-admin folder) can add an extra layer to your server. All passwords must be encoded by function crypt(3). You can use an online htpasswd generator to encrypt your password.

 Listing down some plugins for password

  1. Password Protected
  2. Passster – Password Protection
  3. PPWP – WordPress Password Protect Page Plugin
  4. Password Policy Manager | Password Manager 

 And many more 

 Protect Your Server 

Sealing off the wp-login.php or wp-admin, 404 or 401 errors occur. It becomes necessary to add  ErrorDocument 401 default in the .htaccess file. 

On IIS web servers use the httpErrors element in your web.config, set errorMode=”custom”:

<httpErrors errorMode="Custom">
<error statusCode="401"
responseMode="File" />

IP Whitelist

you can fix the IP address, or deny wp-login.php making wp-admin/ folder access to everyone. the fixed IP address access via an .htaccess or web.config file. This scenario is called an IP whitelist.

Create a file in a plain text editor called .htaccess and add:

# Block access to wp-login.php.
<Files wp-login.php>
 order deny,allow
 allow from
 deny from all


Most brute force attacks are from hosts from Russia, Kazakhstan, and Ukraine. You can block ip-addresses that originate these attacks from these countries. There are block lists available on the internet that you can download.

Subscribe To Our Newsletter

Get updates and learn from the best

Leave a Reply

Your email address will not be published. Required fields are marked *

Get A Free Quote

Tell us about your business and what services you’re interested in… we’ll get back with you ASAP!

Can’t get enough?

Subscribe for exclusive offers and updates on new arrivals