WordPress Brute Force
Attack Protection

How Hide My WordPress Ghost can help you to have a secure website

What is a Brute Force Attack?

A brute force attack is an activity which involves repetitive, successive attempts using various password combinations to break into a website.

Hackers try various combinations of usernames and passwords, again and again, until they get in. For their attacks, hackers use bots or automated tools.

Brute Force Attack

Which Websites are Targeted by Hackers?

Brute force attacks are common against popular CMS platforms (e.g. WordPress, Joomla, etc.) and against common services, such as FTP and SSH.  Statistics show that WordPress has been the most affected CMS in recent years.

Most brute force attacks work by targeting a website, typically the login page and xmlrpc file.

Usually, every common ID (e.g. “admin”) has a password. All hackers need to do is to guess the password based on words in a dictionary.

Which are the Most Attacked Paths?

The majority of password-guessing attacks will try to hit your admin and login URLs (/wp-admin or /wp-login for WordPress; /administrator for Joomla)


an API endpoint URL that accepts a user name and password (e.g., /xmlrpc for WordPress). 

brute force attack protection

WordPress Brute Force Attack Protection Steps

1. Pay attention to your passwords.
2. Hide the fact that you are using WordPress CMS.
3. Limit Login Attempts.
4. Restrict access to the authentication URLs.
    (Deny the IP address after a few fail attempts.)
5. Use reCaptcha or human recognition .

How To Prevent a Brute Force Attack

In the following, I’ll explain every step that you should take to have a secure website. 

You’ll learn how to use Hide My WordPress Ghost to protect your website from hackers.

Limit Login Attempts

By default, WordPress allows unlimited login attempts, either through the login page or xmlrpc.

Therefore, you need to limit the number of login attempts for incorrect usernames or passwords. 

How Hide My WordPress Ghost Will Help You

Hide my WordPress Ghost plugin limits the rate of login attempts and temporarily blocks the IP address.

By default, the maximum number of failed login attempts is 5 and the ban duration is one hour.

With one click you can access the Brute Force Protection Settings Tab and simply set up the maximum fail attempts and ban duration.

You can also inform the user about the remaining retries or lockout time on the login page.

Restrict Access To The Authentication URLs

What are the URLs that you need to restrict?

The most important URLs are the login page and admin page.

We recommend restricting login page access to only authorized IP addresses if possible.

You can do this by modifying in the .htaccess file. However, to do this you will need some programming knowledge.

Hide My WordPress Ghost Will Help You To

Whitelist the IP addresses or range of IP addresses that you want to have access to the login page on your website.

Also, you can ban the IP addresses or range of IP addresses that you never want to be able to access the login page.

You don’t need developer skills for this, and it works with any kind of hosting server.

If you block your IP address by mistake, you can use the safe URL to login and rollback the settings to default.

Hide The Fact That You Are Using WordPress CMS

You can prevent a lot of problems by hiding the fact that you are using WordPress.

Filters you can add into the .htaccess file to protect your website:

  • Protect your WordPress admin area
  • Password protect WordPress admin folder
  • Disable directory browsing
  • Disable PHP execution in some WordPress directories
  • Protect your WordPress configuration file (wp-config.php)
  • Set up 301 redirects through the .htaccess file
  • Ban suspicious IP addresses
  • Disable image hotlinking in WordPress using .htaccess
  • Protect .htaccess from unauthorized access
  • Disable access to xml-prc file using .htaccess
  • Block author scans in WordPress
You can do this manually or you can use Hide My WordPress Ghost.
Admin area protection
Limit the access to selected IP addresses only
Password Protect Admin Folder
If you access your site from multiple locations, then limiting access to specific IPs may not work for you.
You can add an additional password protection to your WordPress admin area.
Disable Directory Browsing
With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file.
Disable PHP execution in some wp directories
Sometimes hackers break into a WordPress site and install a backdoor. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders.
Protect your configuration wp-config.php
Probably the most important file in your wp website’s root directory is wp-config.php file. It contains information about your WordPress database and how to connect to it.
Ban suspicious IP addresses
Are you seeing unusually high requests to your website from a specific IP address?
You can easily block those requests by blocking the IP address in your .htaccess file.
Protect .htaccess from unauthorized access
Due to the power and control it has on your web server, it is important to protect it from unauthorized access by hackers.
Disable access to xml-prc file
This file allows third-party apps to connect to your WordPress site. Most WordPress security experts advise that if you are not using any third party apps, then you should disable this feature.
Blocking author scans in WordPress
A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.

Use Captcha

CAPTCHACompletely Automated Public Turing test to tell Computers and Humans Apart

The primary goal of a CAPTCHA is to provide an extra layer of security on sensitive pages. 

When used as part of a registration, login, or order form, this feature can help stop malicious bots from creating spammy comments or getting access to your personal information.

If you’ve ever been asked to solve a simple math problem or “prove you’re human” before performing an action on a website – you’ve encountered a CAPTCHA.

Google has even implemented a new variety they’re calling the No CAPTCHA, reCAPTCHA, which only requires you to check a box.

Attention To Your Passwords

The goal of your password is to make it difficult for other people to guess and difficult for a brute force attack to succeed.

There are many automatic password generators available that can be used to create secure passwords.

Things to avoid when choosing a password:

  – Any permutation of your own real name, username, company name, or name of your website.
  – A word from a dictionary, in any language.
  – A short password.
  – Any numeric-only or alphabetic-only password (a mixture of both is best).

Loving what you see?

I want to know more about Hide my WordPress Ghost