How to prevent WordPress site from Bruteforce Attacks.

What are the Bruteforce attacks?

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed ‘inelegant’, they can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’

They are, in short, an attack on the weakest link in any website’s security… you.

Due to the nature of these attacks, you may find your server’s memory goes through the roof, causing performance problems. This is because the number of HTTP requests (that is the number of times someone visits your site) is so high that servers run out of memory.
This sort of attack is not endemic to WordPress, it happens with every web app out there, but WordPress is popular and thus a frequent target.
A common attack point on WordPress is to hammer the wp-login.php file over and over until they get in or the server dies.

How do Bruteforce attacks impact your site?

Once an attacker starts brute-forcing your login page with different tools your server starts experience load responding to all the queries made by the attacker.

If the attacker starts hitting your site with more load than the server can handle you may experience a server breakdown (DOS- Denial of Service).This may affect your customer’s experience hence leaving your customer unhappy.

More importantly, if the hacker manages to break through the password of the Admin account he now has access to the entire site and can bring it down or even inject different malware inside the servers affecting your customers.

Simple Demo of Bruteforce attack

For this attack, we will be using a local instance of our WordPress site, and later through the document, we will show you how to prevent them from using a few simple steps.

  • Local Wordpress instance:-


NOTE - The hackers can access your Usernames by exploiting the WordPress REST API injection without logging into the account.

  • Example - By inserting “ http://localhost/test_site/wp-json/wp/v2/users “ the line of text inside the URL we get access to the usernames registered in the site.

  • Now that the hacker has the Username - admin1 the hacker can make a custom password list to target this user and try to Bruteforce into the account.We can prevent this injection by using our WP Security plugin. You can read more about this in the WP REST API protection guide.

    The password list -

  • Hackers Brute forcing Script:- Here Hacker has written a simple login brute-forcing script that tries different passwords using a password list against a username and tries to brute force the password.

  • After running the script.


Since the login page did not have a limit on a number of requests a user can attempt before being redirected to resetting his password the hacker could execute a list of passwords and here we see on the 41st attempt he was able to crack the password for the website.

We can see in the output that

  • USERNAME - admin1
  • PASSWORD - password

How to Protect your site from these attacks?

To protect your website from these simple flaws which can lead to a huge loss in the site. You can easily set up a Login and Spam limit on your website using our WordPress Security Pro plugin and setting the limit to the Login option so that the hacker cannot run such scripts to brute force your website because “ The plugin automatically blocks the attacker IP after a set amount of Login Trials “.

Simple Demo of Setting up Login and Spam Limit:-
  • STEP 1:-

    Search for our plugin using miniorange firewall in the plugins section under your WordPress dashboard.


    Install the plugin WordPress Security-Firewall and activate it.

  • STEP 2:-

    Go to the WP Security Pro dashboard and go under than Login and spam protection section. Here you should find the Brute Force Protection section and you can set the limit on the Login attempts and if it is crossed you can also set the Time Period for which IP should be blocked.


    Time Periods can be

    • Permanent
    • Months - No of Months
    • Days - No of Days
    • Hours - No of Hours

    After completing these two steps you are all set and ready to SAVE your settings and defend against those HACKERS.

Affects of the plugin:

After the plugin is set up the hackers can no more try to brute force your website.

To test it you can log out of your account and enter the wrong credentials and should be prompted with an Error message showing the number of Login attempts left (Can be turned off as per user choice) from the plugin.

  • Login Counter



  • Now if the attacker runs a brute-forcing script after 5 attempts his IP will be blocked for the specified time or permanently.

  • As you see this time the script was stopped after 10 attempts and had prompted a wrong password to the hacker.(Which are faking the hacker). Now when the hacker goes to the site he finds himself blocked from the website and cannot access it.


Now you are safe from attackers in just a simple two-step process using our plugin. Hopefully, this was a helpful guide for you.

Happy Defending.

Hello there!

Need Help? We are right here!

Contact miniOrange Support

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to