FAQ: Preventing Brute Force Attacks on WordPress

Preventing brute force attacks and providing WordPress brute force protection is relatively straightforward. Malicious attacks on your website are usually designed to hurt your business by making your site slow, unreliable or unavailable for extended periods of time. This may be done via DDos (distributed denial of service) attacks and prolonged Brute Force Login assaults. This activity is costly if contracted out, so it is more often than not a deliberate campaign by a competitor, disgruntled employee or client rather than a completely random attack.

FAQ: WordPress Brute Force Protection

What are Brute Force Attacks?

Brute force attacks come in different forms, and a range of attack software is available to those intent on getting into your website and/or server. For a full outline of brute force login goals and methods, see:

Defensive hacking – how to prevent a brute force attack

A heavy Brute Force Login attack launched simultaneously from multiple sites and aimed at your server could have an impact similar to a DDoS attack:

  • The server load increases sharply.
  • Websites become unresponsive.
  • Access to WHM, cPanel of FTP may time out.
  • Sites may display an “Error connecting to database.”
  • In some cases, one or more databases may be corrupted.

Preventing brute force attacks is a high priority for all websites! Best to do it before an attack commences, than to be flailing around in the midst of a crisis trying to implement and effective WordPress brute force protection solution.

What is the Impact of Brute Force Attacks?

Any excessive activity on YOUR site has an immediate negative impact on neighbouring websites on the same server. A sustained login attack can generate an impact similar to a Denial of Service attack.

How can I protect my site from Brute Force Login Attacks?

There are two proactive methods to protect your website;

  1. Install a security plug-in such as Limit Login Attempts Reloaded, or Wordfence Login Security
  2. Reduce the server loading by ensuring page load speed is optimised and working to your advantage, and resources are not being hogged by bad plugins.

Does reducing Server Load help?

Anything you do to reduce the load on your websites significantly helps your hosting server cope with external loads generated by someone intent on harm.

  1. Install and configure good caching plugins: WP Rocket Cache plus Docket Cache (object caching & OP cache) and Asset Cleanup will boost your WordPress page load speed and make your site fast and lean and ease the server resource consumption, enabling greater resilience.
  2. Offload some of your server load to a Content Delivery Network such as Cloudflare – which also has additional security layers at the network level – i.e. before an attacker actually reaches your site.

How much does Cloudflare help?

A “basic” account is free, so there is little excuse for not using this CDN. Its easy to set up and has multiple security functions that can help you screen out attackers. My experience with Cloudflare is extremely positive – every site I own is on it, as are most website I manage. It’s truly epic value and I’m always appreciative of what it does…

  • Page Rules: should be applied to the wp-login.php pages. Cache level = Bypass and Security = High.
  • Bot Fight mode: blocks known bad bots from reaching your site.
  • Email Obfuscation: this stops bots harvesting your email addresses listed on your website.
  • Firewall: set known bad Countries (Russia, Belarus, China, Iran, Nth Korea, Indonesia, Turkey, Brazil) to “Managed challenge” to slow down queries and block the known bad actors.

The $5 per month APO (Automatic Platform Optimization) for WordPress is a very good thing too, especially if you have a Woocommerce shop installation.

In summary, preventing brute force attacks from achieving any success is not technically difficult. However, you need to protect both:

  • Your hosting account control panel with a secure password.
  • Your WordPress login by limiting login attempts and using a secure password. Implementing 2-Factor Authentication also makes sense, especially if your site is under attack.
WordPress brute force protection

Page last updated on Wednesday, October 11, 2023 by the author Ben Kemp