{"id":3879,"date":"2025-11-03T22:25:50","date_gmt":"2025-11-03T22:25:50","guid":{"rendered":"https:\/\/serverfellows.com\/blog\/?p=3879"},"modified":"2025-11-03T22:26:05","modified_gmt":"2025-11-03T22:26:05","slug":"how-to-protect-wordpress-from-brute-force-attacks","status":"publish","type":"post","link":"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/","title":{"rendered":"How to Protect WordPress from Brute Force Attacks"},"content":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/wp-content\/uploads\/2025\/11\/How-to-Protect-WordPress-from-Brute-Force-Attacks.png\" alt=\"How to Protect WordPress from Brute Force Attacks -- How to Protect WordPress from Brute Force Attacks\" class=\"alignnone\" \/><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#How_to_Protect_WordPress_from_Brute_Force_Attacks\" >How to Protect WordPress from Brute Force Attacks<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Why_brute_force_protection_matters\" >Why brute force protection matters<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Hide_and_customize_the_admin_login_URL\" >Hide and customize the admin login URL<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Enforce_two-factor_authentication_for_administrator_accounts\" >Enforce two-factor authentication for administrator accounts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Deploy_a_cloud_WAFCDN_in_front_of_your_site\" >Deploy a cloud WAF\/CDN in front of your site<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Limit_login_attempts_and_surface_anomalies\" >Limit login attempts and surface anomalies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Keep_core_themes_and_plugins_updated\" >Keep core, themes, and plugins updated<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Harden_wp-config_and_file_permissions\" >Harden wp-config and file permissions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Change_the_default_%E2%80%9Cadmin%E2%80%9D_username_and_audit_display_names\" >Change the default \u201cadmin\u201d username and audit display names<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Review_user_roles_and_remove_inactive_accounts\" >Review user roles and remove inactive accounts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Enforce_strong_password_policies\" >Enforce strong password policies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Strengthen_visibility_logs_alerts_and_reports\" >Strengthen visibility: logs, alerts, and reports<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Optional_but_valuable_geofencing_allowlists_and_honeypots\" >Optional but valuable: geofencing, allowlists, and honeypots<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Backups_and_recovery_prepare_for_what-ifs\" >Backups and recovery: prepare for what-ifs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Quick_start_checklist\" >Quick start checklist<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#When_a_managed_partner_makes_sense\" >When a managed partner makes sense<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/serverfellows.com\/blog\/how-to-protect-wordpress-from-brute-force-attacks\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"How_to_Protect_WordPress_from_Brute_Force_Attacks\"><\/span>How to Protect WordPress from Brute Force Attacks<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>If your site runs on WordPress, automated bots will eventually try to guess their way into your dashboard. They target the login page and hammer it with thousands of password combinations, hoping one will open the door. Knowing <strong>how to protect WordPress from brute force attacks<\/strong> is therefore essential, not optional. The good news is that a handful of practical changes can drastically reduce noise, protect accounts, and preserve server resources \u2014 without making life difficult for legitimate users.<\/p>\n<p>This guide explains <strong>how to protect WordPress from brute force attacks<\/strong> using layered defenses: hide default login paths, enforce two-factor authentication, put a cloud WAF\/CDN in front of your origin, limit login attempts, monitor suspicious behavior, lock down key files and permissions, maintain updates, and set strong credential policies. You\u2019ll find examples, checklists, and small configuration tips you can apply today.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Why_brute_force_protection_matters\"><\/span>Why brute force protection matters<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A brute force attack is simple but relentless. Scripts cycle through usernames and passwords against your login endpoint; some rely on leaked credentials, others try the most common combinations. Even if none succeed, these waves consume CPU, PHP workers, and database connections. The result can be slow admin screens, timeouts during peak traffic, and even crashes. Search engines may flag performance drops, and your team wastes time fielding complaints.<\/p>\n<p>Learning <strong>how to protect WordPress from brute force attacks<\/strong> keeps your site responsive and your data safe. It also reduces alert fatigue: by cutting the background noise, real anomalies stand out and are easier to investigate.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Hide_and_customize_the_admin_login_URL\"><\/span>Hide and customize the admin login URL<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Default login paths \u2014 <code>\/wp-login.php<\/code>, <code>\/wp-admin<\/code>, <code>\/login<\/code>, <code>\/admin<\/code> \u2014 are the first places bots probe. Obscuring them doesn\u2019t stop a targeted attacker, but it removes you from the broad, automated sweeps that hit every site.<\/p>\n<p>Practical steps:<\/p>\n<ul>\n<li>Use a lightweight tool (for example, WPS Hide Login) to set a custom login path. Force the old paths to return a <strong>404<\/strong>.<\/li>\n<li>Store the new URL securely in your password manager and share it only with authorized users.<\/li>\n<li>Rate-limit or block hits to the old paths at your WAF so scanners get discouraged quickly.<\/li>\n<li>Keep an emergency recovery plan: if you forget the custom path, you should be able to rename the plugin folder via SFTP and regain access.<\/li>\n<\/ul>\n<p>This single change often eliminates the majority of automated probes. If you prefer managed help, a specialist host like <a href=\"https:\/\/serverfellows.com\">ServerFellows.com<\/a> can set up a protected custom path and pair it with upstream filtering.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Enforce_two-factor_authentication_for_administrator_accounts\"><\/span>Enforce two-factor authentication for administrator accounts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Passwords fail for two reasons: they are guessed, or they are stolen elsewhere and reused. Two-factor authentication (2FA) neutralizes both scenarios by requiring a second verifier during login.<\/p>\n<p>How to do it well:<\/p>\n<ul>\n<li>Enable 2FA for all administrator accounts and for any editor who can install plugins or change themes.<\/li>\n<li>Favor app-based codes (TOTP) over SMS. Popular authenticators include Microsoft Authenticator and Authy.<\/li>\n<li>Issue backup codes to prevent lockouts and store them in a password manager.<\/li>\n<li>Require 2FA setup at next login for all privileged users to avoid long adoption gaps.<\/li>\n<li>Review your users list monthly and confirm everyone with elevated access has 2FA enabled.<\/li>\n<\/ul>\n<p>Adding 2FA is the single most effective answer to the question <strong>how to protect WordPress from brute force attacks<\/strong> when credentials leak. Even if a password is compromised, the attacker still can\u2019t pass the second check.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Deploy_a_cloud_WAFCDN_in_front_of_your_site\"><\/span>Deploy a cloud WAF\/CDN in front of your site<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A Web Application Firewall (WAF) sits between the internet and your origin, evaluating each request before it touches PHP or MySQL. A good WAF recognizes login floods, throttles bad IPs, applies reputation lists, and challenges suspicious traffic. When paired with a CDN, static assets are cached at the edge and your origin stays responsive for real users.<\/p>\n<p>Capabilities to enable:<\/p>\n<ul>\n<li><strong>Bot and credential-stuffing mitigation:<\/strong> Detect rapid login attempts and block networks known for abuse.<\/li>\n<li><strong>Rate limiting:<\/strong> Cap requests to the login path per IP and per subnet. Use sensible thresholds so support teams can still sign in.<\/li>\n<li><strong>\u201cUnder attack\u201d mode:<\/strong> Temporary hardened ruleset for high-volume events.<\/li>\n<li><strong>Detailed logs:<\/strong> Keep request logs and export them periodically for incident reviews.<\/li>\n<li><strong>Origin cloaking:<\/strong> Hide your server\u2019s IP to prevent bypassing the WAF.<\/li>\n<\/ul>\n<p>Cloudflare and Sucuri are common choices. If you\u2019d like someone to configure DNS, WAF, and the right rules for your stack, the team at <a href=\"https:\/\/serverfellows.com\">ServerFellows.com<\/a> can implement and monitor this layer.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Limit_login_attempts_and_surface_anomalies\"><\/span>Limit login attempts and surface anomalies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>WordPress does not limit login attempts by default. Throttling makes brute forcing inefficient and slows down attackers to a crawl.<\/p>\n<p>Practical configuration:<\/p>\n<ul>\n<li>Install a login limiter (e.g., Limit Login Attempts Reloaded or a security suite with that feature).<\/li>\n<li>Start with a threshold such as five failures per IP within fifteen minutes, then lockout for thirty minutes. Repeat offenses can extend the lock.<\/li>\n<li>Trigger a challenge (CAPTCHA or similar) after the first lockout to separate humans from scripts.<\/li>\n<li>Whitelist static office IPs and your upstream WAF ranges so your team isn\u2019t blocked.<\/li>\n<li>Disable XML-RPC if unused, or restrict it to known apps. XML-RPC can amplify brute force attempts.<\/li>\n<\/ul>\n<p>Monitoring tips:<\/p>\n<ul>\n<li>Enable email or webhook alerts when lockouts spike or when a single subnet trips multiple lockouts across sites.<\/li>\n<li>Review username patterns. Attempts against \u201cadmin\u201d, \u201ctest\u201d, or your domain name reveal credential stuffing campaigns.<\/li>\n<li>Export failed login logs weekly and scan for repeating sources that should be blocked at the WAF.<\/li>\n<\/ul>\n<p>This is a simple, essential layer in <strong>how to protect WordPress from brute force attacks<\/strong>, because it wastes attacker time while notifying you early.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Keep_core_themes_and_plugins_updated\"><\/span>Keep core, themes, and plugins updated<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Attackers don\u2019t always go through the front door. Outdated plugins and themes often contain patched vulnerabilities that allow privilege escalation or file writes. A disciplined update routine closes those doors before bots test them.<\/p>\n<p>Adopt these habits:<\/p>\n<ul>\n<li>Turn on automatic <strong>minor<\/strong> core updates. Schedule <strong>major<\/strong> upgrades after a fresh backup.<\/li>\n<li>Remove unused plugins and themes. If it\u2019s not active and necessary, it\u2019s risk without benefit.<\/li>\n<li>Prefer maintained plugins with recent releases and clear changelogs.<\/li>\n<li>Test major updates on a staging copy before pushing to production.<\/li>\n<li>Keep an offsite backup (files and database) with periodical restore tests.<\/li>\n<\/ul>\n<p>This routine might feel mundane, but it\u2019s central to <strong>how to protect WordPress from brute force attacks<\/strong> because many intrusion attempts pivot through outdated code once attackers hit rate limits on the login screen.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Harden_wp-config_and_file_permissions\"><\/span>Harden wp-config and file permissions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Your <code>wp-config.php<\/code> file contains database credentials and security keys. Limiting who can read or change it is fundamental.<\/p>\n<p>Checklist:<\/p>\n<ul>\n<li>If your host supports it, move <code>wp-config.php<\/code> one directory above the public web root.<\/li>\n<li>Apply strict permissions:\n<ul>\n<li><code>wp-config.php<\/code>: 400 or 440<\/li>\n<li>Other PHP files: 644<\/li>\n<li>Directories: 755<\/li>\n<\/ul><\/li>\n<li>Disable theme\/plugin editing in the dashboard by adding this line to <code>wp-config.php<\/code>: <code>define(&#039;DISALLOW_FILE_EDIT&#039;, true);<\/code><\/li>\n<li>Ensure ownership and write permissions are minimal \u2014 the web server user should write only where uploads or cache directories require it.<\/li>\n<li>Restrict PHP execution in <code>wp-content\/uploads<\/code> (via <code>.htaccess<\/code>, Nginx rules, or your security plugin) to prevent uploaded shells from running.<\/li>\n<\/ul>\n<p>These steps don\u2019t just stop brute force side effects; they also restrict damage if any credential is compromised. Many managed stacks, including plans from <a href=\"https:\/\/serverfellows.com\">ServerFellows.com<\/a>, apply hardened templates automatically.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Change_the_default_%E2%80%9Cadmin%E2%80%9D_username_and_audit_display_names\"><\/span>Change the default \u201cadmin\u201d username and audit display names<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Attackers commonly assume the username \u201cadmin,\u201d then pound passwords against it. Removing predictable usernames is a quick win.<\/p>\n<p>Best practice:<\/p>\n<ul>\n<li>Create a new administrator with a unique username, log in as that user, and delete the old \u201cadmin,\u201d transferring posts to the new account.<\/li>\n<li>Avoid using your site title or email prefix as a username.<\/li>\n<li>Set your public \u201cdisplay name\u201d to something that isn\u2019t the actual login to avoid exposing usernames in author archives.<\/li>\n<\/ul>\n<p>Combine this with 2FA and strong passwords for a sharp drop in successful guessing attempts.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Review_user_roles_and_remove_inactive_accounts\"><\/span>Review user roles and remove inactive accounts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Over time, teams change. Contractors finish projects. Old accounts linger with permissions they no longer need. Every unnecessary account expands your attack surface.<\/p>\n<p>To keep access tight:<\/p>\n<ul>\n<li>Export your users monthly and sort by last login where available.<\/li>\n<li>Deactivate accounts inactive for ninety days; remove them after verification. Transfer content ownership before deletion.<\/li>\n<li>Require least privilege: editors should not be administrators; contributors should not upload files unless necessary.<\/li>\n<li>Subscribe to notifications for new users and role changes.<\/li>\n<\/ul>\n<p>Regular role audits are a quiet but powerful part of <strong>how to protect WordPress from brute force attacks<\/strong> \u2014 they reduce the number of doors attackers can try.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Enforce_strong_password_policies\"><\/span>Enforce strong password policies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Weak passwords are the fuel of brute force campaigns. Set rules that make weak guesses useless.<\/p>\n<p>Policy recommendations:<\/p>\n<ul>\n<li>Minimum length of 12\u201316 characters.<\/li>\n<li>Mix of upper\/lowercase letters, numbers, and symbols.<\/li>\n<li>Deny commonly breached passwords through a blocklist.<\/li>\n<li>Unique credentials per user and per site; no reuse across projects.<\/li>\n<li>Encourage password managers for generation and storage.<\/li>\n<li>Rotate passwords only after suspected compromise; forced periodic rotation can degrade quality.<\/li>\n<li>Invalidate sessions on password change and set session timeouts for admins.<\/li>\n<\/ul>\n<p>A robust policy supports everything else you\u2019re doing in <strong>how to protect WordPress from brute force attacks<\/strong> and ensures your rate limits aren\u2019t the only defense.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Strengthen_visibility_logs_alerts_and_reports\"><\/span>Strengthen visibility: logs, alerts, and reports<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can\u2019t respond to what you don\u2019t see. Centralized logs and clear alerts turn scattered events into actionable signals.<\/p>\n<p>Practical setup:<\/p>\n<ul>\n<li>Enable security and access logs at your WAF\/CDN and origin.<\/li>\n<li>Use a logging plugin or server-level tool to record login attempts, password resets, new user creation, and role changes.<\/li>\n<li>Forward logs to a central location or export weekly for review.<\/li>\n<li>Create a short runbook: who to notify, what to capture (timestamps, IPs, user agents), and how to block at the edge.<\/li>\n<\/ul>\n<p>If you lack time to maintain this, consider a managed plan with continuous monitoring from <a href=\"https:\/\/serverfellows.com\">ServerFellows.com<\/a> so spikes in failed logins are handled quickly.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Optional_but_valuable_geofencing_allowlists_and_honeypots\"><\/span>Optional but valuable: geofencing, allowlists, and honeypots<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Some sites have predictable administrator locations. If your admin team signs in from a limited set of networks, consider narrowing who can even see the login screen.<\/p>\n<p>Ideas that help:<\/p>\n<ul>\n<li>Restrict <code>\/wp-login.php<\/code> and your custom login path to a small allowlist of IPs at the WAF.<\/li>\n<li>Apply geofencing to block login attempts from regions with no business need.<\/li>\n<li>Add a simple honeypot field to trip and filter basic bots without affecting humans.<\/li>\n<li>Use server-side tools like Fail2Ban to block IPs that hit multiple 401\/403 responses.<\/li>\n<\/ul>\n<p>These techniques make sense for higher-risk environments and pair well with the basics of <strong>how to protect WordPress from brute force attacks<\/strong>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Backups_and_recovery_prepare_for_what-ifs\"><\/span>Backups and recovery: prepare for what-ifs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Security is also about resilience. If something goes wrong, you should restore quickly with minimal data loss.<\/p>\n<p>Essentials:<\/p>\n<ul>\n<li>Maintain automated daily backups and on-demand snapshots before major changes.<\/li>\n<li>Keep copies offsite and verify restoration steps quarterly.<\/li>\n<li>Document recovery: who holds credentials, where backups live, which DNS or WAF settings must be adjusted during a restore.<\/li>\n<\/ul>\n<p>A crisp recovery plan limits downtime and reputational damage even if a brute force campaign triggers other issues.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Quick_start_checklist\"><\/span>Quick start checklist<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Use this condensed list to implement <strong>how to protect WordPress from brute force attacks<\/strong> today:<\/p>\n<ol>\n<li>Hide the login URL and return 404 on default paths.<\/li>\n<li>Enforce 2FA for all administrators; issue backup codes.<\/li>\n<li>Put a cloud WAF\/CDN in front of your site with rate limiting.<\/li>\n<li>Limit login attempts and enable challenges after lockouts.<\/li>\n<li>Disable XML-RPC if unused; otherwise restrict it tightly.<\/li>\n<li>Keep core, themes, and plugins updated; remove anything abandoned.<\/li>\n<li>Harden <code>wp-config.php<\/code>, set strict file permissions, and disable file editing.<\/li>\n<li>Replace the \u201cadmin\u201d username; set non-login display names.<\/li>\n<li>Audit users monthly; remove inactive accounts and enforce least privilege.<\/li>\n<li>Apply strong password rules and session timeouts.<\/li>\n<li>Centralize logs and alerts; maintain a short incident runbook.<\/li>\n<li>Consider geofencing and allowlists for the login path.<\/li>\n<li>Keep tested backups and document restoration steps.<\/li>\n<\/ol>\n<h2><span class=\"ez-toc-section\" id=\"When_a_managed_partner_makes_sense\"><\/span>When a managed partner makes sense<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Some teams want these tasks done once and maintained quietly in the background. If that\u2019s you, look for a provider that understands <strong>how to protect WordPress from brute force attacks<\/strong> at the DNS, WAF, server, and application levels. A service like <a href=\"https:\/\/serverfellows.com\">ServerFellows.com<\/a> can configure your WAF, set safe login limits, enforce 2FA, monitor logs, and step in during incidents so your site stays fast and dependable.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Brute force protection isn\u2019t a single switch. It\u2019s a compact set of habits that work together: hide predictable paths, require a second factor, filter traffic before it hits PHP, set fair but firm login limits, keep software current, lock down sensitive files, and watch the logs. Follow these steps and you\u2019ll not only understand <strong>how to protect WordPress from brute force attacks<\/strong> \u2014 you\u2019ll make those attacks boringly ineffective. Your dashboard stays yours, your resources serve real visitors, and your team spends time building instead of firefighting. If you\u2019d like help implementing or maintaining this stack, the specialists at <a href=\"https:\/\/serverfellows.com\">ServerFellows.com<\/a> can get you there quickly and keep watch as your site grows.<\/p>","protected":false},"excerpt":{"rendered":"<p>Keep attackers at bay with smart URL cloaking, 2FA, WAFs, rate limits, and updates\u2014discover the exact steps to harden WordPress before the next hit arrives.<\/p>","protected":false},"author":1,"featured_media":3901,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[743],"tags":[1730,1760,1731],"class_list":["post-3879","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-24-7-hosting-support-uae","tag-brute-force-protection","tag-how-to-protect-wordpress-from-brute-force-attacks","tag-site-hardening"],"_links":{"self":[{"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/posts\/3879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/comments?post=3879"}],"version-history":[{"count":2,"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/posts\/3879\/revisions"}],"predecessor-version":[{"id":3917,"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/posts\/3879\/revisions\/3917"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/media\/3901"}],"wp:attachment":[{"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/media?parent=3879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/categories?post=3879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serverfellows.com\/blog\/wp-json\/wp\/v2\/tags?post=3879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}