Brute force attacks can crash your website and disrupt your online business if the necessary prevention tools are missing.

A brute force attack can be carried out with either humans or bots, constantly trying to log in with guessed credentials on your WordPress site.

It gets worse when the login page is not secure and some research has noticed thousands of wp-login.php login attempts per minute.

Let’s take a look at the SUCURI chart.

Over 1 million attacks per hour!

There are several ways to prevent brute force attacks; Here are some of them that you can follow.

1. Hide WordPress login

One of the first things you should consider after setting up your website is to hide the login area.

By default, the WordPress login page is available as:

  •  /wp-login.php
  • / login
  • / wp-admin
  • / admin

So, if the bad guys know you are using WordPress and the login area is not hidden, then they can easily access the login page and prepare for a brute-force attack.

Let’s hide the WordPress login area with the following plugins. You can use any of them.

WPS Hide Login

WPS Hide Login is a lightweight plugin with over 600,000 active installations. This plugin will help you change your login url to whatever.

After changing the login url, if someone tries to access wp-admin, /wp-login.php, / login, / admin , it will give a 404 error page.

iThemes Security

The premium plugin offers comprehensive WP security protection.

iThemes  plugin providing security tools. Some of the features include:

  • Brute force protection
  • Block suspicious users
  • Hide login
  • Two-factor authentication
  • Malware scan
  • Database backup


Malcare  is a versatile WordPress protection plugin. It offers 24/7 login protection and protects against malicious traffic.

Malcare offers features such as malware scanning, malware removal, smart web firewall, one-click amplification, and more. You can get it started for as little as $ 99 per year. It is worth investing to keep your online business safe.

2. Implement two-factor authentication

Two-factor authentication adds an extra layer of security to your WordPress website. Along with your credentials, you also need to provide a one-time password (OTP).

This is achievable with the following plugins.


Fantastic and lightweight plugin  allows you to implement two-factor authentication for admin, member, etc.


You can set up email based authentication, Google Authenticator and U2F.

Google Authenticator

As the name suggests, you can use this plugin to log in with Google Authenticator.

After you enable the plugin and set up authentication, you should see the above screen when logged into your WP admin.

The above methods are plug-in based, but you might also want to consider using a cloud security provider’s protection.

3. Cloud security

Why Cloud Security?

Using a plugin to secure your site means that all traffic, including bad traffic, reaches the WordPress servers. Imagine you are getting a lot of useless traffic.

By using cloud protection, your WordPress server only receives legitimate traffic. All bots, spam, suspicious requests are terminated in the network of the security provider.

Sounds good, right?


One of the popular CDN and security providers. Cloudflare WAF is included in the PRO plan, which costs $ 20 per month.

You get all the standard protections like DDoS, 10 OWASP vulnerabilities, spam, evil bots, brute force, etc.


SUCURI  specializes in antivirus and firewall software. They help you stop hacking attempts, stop DDoS attack, clean hacking and keep your site completely secure. Including protection against brute force attacks.

SUCURI’s WordPress security is probably the only thing you need to protect your site from Brute Force and many other vulnerabilities. The advantage of SUCURI is that it supports many other platforms like Joomla, Drupal, Magento, PHP, so in case you change the website technology in the future, you don’t need to spend $ more on security.


Securing your site is very important, and if you want to mitigate brute force attacks then one of the above plugins will do the job. However, if you’re seriously looking for a complete security solution, go for cloud protection. It’s worth it!

Stay Safe!