WordPress Brute Force
Attack Protection

Discover how Hide My WordPress Ghost helps you have a secure website!

What is a Brute Force Attack?

A brute force attack is an activity which involves repetitive, successive attempts using various password combinations to break into a website.

Hackers try various combinations of usernames and passwords, again and again, until they get in. When running their attacks, hackers use bots or automated tools to keep guessing your login information.

Brute Force Attack

Which Websites are Targeted by Hackers?

Brute force attacks are common against popular CMS platforms (e.g., WordPress, Joomla, etc.) and against common services, such as FTP and SSH. Statistics show that WordPress has been the most affected CMS in recent years.

Most brute force attacks work by targeting a website, typically the login page and the xmlrpc.php file.

Usually, every common ID (e.g., “admin”) has a password. All hackers need to do is guess the password based on words in a dictionary.

Which are the Most Attacked Paths?

The majority of password-guessing attacks will target your admin and login URLs (/wp-admin or /wp-login for WordPress; /administrator for Joomla)


an API endpoint URL that accepts a username and password (e.g., /xmlrpc for WordPress). 

brute force attack protection

According to the Data Breach Investigations Report in 2020 by Verizon, the brute-force method was, in some way or another, used in over 80% of the attacks.

WordPress Brute Force Attack Protection Steps

1. Enforce the use of strong passwords. 
2. Hide the fact that you are using WordPress as your CMS.
3. Limit login attempts.
4. Restrict access to authentication URLs.
    (Deny the IP address after a few failed attempts.)
5. Use reCAPTCHA or human recognition.

How to Prevent a Brute Force Attack

In the following paragraphs, we’ll explain every step that you should take to have a secure website. 

You’ll also learn more about how to use Hide My WordPress Ghost to protect your website from hackers.

Limit Login Attempts

By default, WordPress allows unlimited login attempts, either through the login page or xmlrpc.

Therefore, you need to limit the number of login attempts for incorrect usernames or passwords. 

How Hide My WordPress Ghost Will Help You

Hide My WordPress Ghost plugin limits the rate of login attempts and temporarily blocks the IP address.

By default, the maximum number of failed login attempts is 5, and the ban duration is set to one hour.

With one click, you can access the Brute Force Protection Settings Tab, and simply customize the maximum number of failed attempts and the ban duration.

On the login page, you can also let the user know how many login tries they have left, as well as provide information regarding lockout time. 

Restrict Access to the Authentication URLs

Which are the URLs that you need to restrict?

The most important URLs are the login page and the admin page.

If possible, we recommend allowing login page access to authorized IP addresses only, as this will help prevent unauthorized login attempts.  

You can do this by editing the .htaccess file. However, doing this requires having some knowledge in programming.

Hide My WordPress Ghost Will Help You:

Whitelist the IP addresses (or the range of IP addresses) that you want to have access to the login page on your website.

Also, you can ban the IP addresses or the range of IP addresses that you never want to be able to access the login page.

You don’t need developer skills for this, and it works with any kind of hosting server.

If you block your IP address by mistake, you can use the safe URL to log in and rollback your settings to default.

Hide the Fact that You Are Using WordPress CMS

You can prevent a lot of problems by simply hiding the fact that you are using WordPress.

Filters that you can add into the .htaccess file to protect your website:

  • Protect your WordPress admin area
  • Password-protect WordPress admin folder
  • Disable directory browsing
  • Disable PHP execution in some WordPress directories
  • Protect your WordPress configuration file (wp-config.php)
  • Set up 301 redirects through the .htaccess file
  • Ban suspicious IP addresses
  • Protect .htaccess from unauthorized access
  • Disable access to xmlrpc.php file using .htaccess
  • Block author scans in WordPress
You can do this manually – OR you can use Hide My WordPress Ghost.
Admin area protection
Limit the access to selected IP addresses only.
Password Protect Admin Folder
If you access your site from multiple locations, then limiting access to specific IPs may not work for you.
You can add additional password protection to your WordPress admin area.
Disable Directory Browsing
With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file.
Disable PHP execution in some wp directories
Sometimes, hackers break into a WordPress site and install a backdoor. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders.
Protect your configuration wp-config.php
The wp-config.php file is probably the most important file in your website’s root directory. This file contains information about your WordPress database and how to connect to it.
Ban suspicious IP addresses
Are you seeing unusually high requests to your website from a specific IP address?
You can easily block those requests by blocking the IP address in your .htaccess file.
Protect .htaccess from unauthorized access
Due to the power and control it has on your web server, it is important to protect it from unauthorized access by hackers.
Disable access to xmlrpc. file
This file allows third-party apps to connect to your WordPress site. Most WordPress security experts advise that if you are not using any third-party apps, then you should disable this feature.
Blocking author scans in WordPress
A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.
Previous slide
Next slide


CAPTCHACompletely Automated Public Turing test to tell Computers and Humans Apart

The primary goal of a CAPTCHA is to provide an extra layer of security on sensitive pages. 

When used as part of a registration, login process, or order form, this feature can help stop malicious bots from creating spammy comments or getting access to your personal information.

If you’ve ever been asked to solve a simple math problem or “prove you’re human” before performing an action on a website – you’ve encountered a CAPTCHA.

Google has even implemented a new service they’re calling the No CAPTCHA, reCAPTCHA, which only requires you to check a box.

Choose Your Passwords Carefully

The goal of your password is to thwart password-guessing attempts and make it difficult for a brute force attack to succeed.

There are many automatic password generators available that can be used to create secure, strong passwords.

Things to avoid when choosing a password:

  – Using any permutation of your own real name, username, company name, or name of your website.
  – Using a word from a dictionary, in any language.
  – Choosing a short password.
  – Using numbers-only or letters-only (a mixture of both is best).

Love what you see?

I want to know more about Hide My WordPress Ghost