Skip to main content
WordPress Brute Force Attacks
Security WordPress Troubleshooting

WordPress Brute Force Attacks

Overview

A brute force attack is an automated attempt to gain access to a WordPress site by systematically trying username and password combinations against the wp-login.php endpoint. WordPress sites are targeted constantly — bots scan for the default login URL and attempt thousands of combinations per hour. Most attacks are automated and indiscriminate. If your site is on a shared hosting server with limited resources, a sustained brute force attack can slow or crash the site even if it never succeeds in logging in.

How Brute Force Attacks Work

  1. Automated bots identify sites running WordPress by looking for /wp-login.php or /wp-admin/
  2. The bot sends repeated POST requests with common username/password combinations
  3. Common usernames targeted: admin, administrator, the domain name, the business name
  4. Passwords are tried from lists of commonly used or previously leaked credentials
  5. If successful: attacker gains admin access, installs backdoors, redirects traffic, or harvests the site

Signs Your Site Is Under Attack

  • server load is unusually high with no corresponding traffic increase
  • hosting provider alerts about excessive resource usage
  • WordPress admin login becomes slow or intermittently unavailable
  • server error logs show thousands of POST requests to wp-login.php from a single or rotating IP
  • security plugin (Wordfence, Solid Security) sends lockout notifications
  • failed login attempts visible in WordPress security logs

How It Is Diagnosed

  • review server access logs for repeated POST requests to wp-login.php
  • check the hosting control panel for unusual CPU or bandwidth spikes
  • use a security plugin to view failed login attempts and the IPs behind them
  • look for 403 or 429 responses in logs if rate limiting is already partially in place

How to Stop Brute Force Attacks

Block access to the login URL:

  • change the WordPress login URL from /wp-login.php to a custom path using a plugin (WPS Hide Login or Solid Security)
  • restrict /wp-login.php access by IP address in .htaccess if the admin always logs in from a known IP

Limit login attempts:

  • install a login rate-limiting plugin (Limit Login Attempts Reloaded, or the built-in feature in Wordfence/Solid Security)
  • set lockout after 3–5 failed attempts per IP

Use strong credentials:

  • change the admin username away from admin — create a new admin user with a unique name and delete the original
  • use a generated password of 20+ characters

Enable two-factor authentication:

  • require a TOTP code (Google Authenticator, Authy) for all admin accounts
  • this makes a successful credential guess useless without the second factor

Web application firewall (WAF):

  • services like Cloudflare (free tier) can detect and block bot traffic at the network level before it reaches the server

Technical Website Support

If a brute force attack is consuming server resources or has resulted in unauthorized access, the site needs to be hardened immediately. Blocking the attack vector and auditing for any successful intrusion are the two priorities.