WordPress Brute Force Attack

4 measures to prevent brute force attacks on your WordPress

What are brute force attacks, what do attackers use them for and how can you prevent these attacks on your WordPress? You’re probably asking yourself questions like these when you’re dealing with this topic. We have collected answers to these questions.

What are brute force attacks?

Brute force attacks are attempts to gain access to your system (in your case, presumably your WordPress). This is done by trying to guess a user name and the corresponding password. After all, this account already has access to the system.

It is a very simple and primitive method (as the name suggests – brute force = blunt force) which is still very effective. At the same time, it is also very easy to prevent.

What types of brute force attacks are there?

There are small but subtle differences between brute force attacks and their attack scenarios. The most common types can be divided into 5 categories:

  1. Simple brute force attack
  2. Dictionary Attack
  3. Hybrid Brute Force Attack
  4. Reverse Brute Force Attack / Password Spraying
  5. Credential stuffing

We present each of these categories in detail below.

1. simple brute force attack

This is the purest form of brute force attack. It tries out any combination of characters one by one – without any research or special procedure other than simply counting characters up or down.

Credit: Matthias Held

This method is simple, but costs time or a lot of computing power. Nevertheless, it is still a valid method with increasingly powerful processors or the possibility of unleashing many different systems on an attack target at the same time (for example with the help of botnets or cloud servers).

There are both laboratory tests and real-world applications that can crack an 8-character password in less than 12 minutes. As technology advances, it will become even faster and easier to get to the target. Therefore, this method remains a favourite with attackers who have a specific target in mind.

Advantage: Any password can be guessed.
Disadvantage: It can take a long time and requires a lot of computing power.

Good defence methods: Use long passwords with a wide range of characters.

2. dictionary attack

Unlike the Simple Brute Force method, the Dictionary Attack uses an existing data set for testing.

This can be data from different sources:

  1. Actual dictionaries, for example, all words from the Duden dictionary.
  2. Password lists such as the 10,000 most frequently used passwords.
  3. Passwords from previous breaches (usernames and passwords from previous hacks of websites and applications).

The first variant is becoming less and less important, but the last two have become increasingly important over the years, as the amount of data in these lists naturally increases with increasing cyberattacks.

Credit: Matthias Held

Advantage: As users like to use passwords that are also memorable, they often make it easy for themselves and use individual words from the dictionary or names over and over again on all services, websites and apps. The probability of success in gaining access is therefore quite high and the method is significantly faster than a simple brute force.

Disadvantage: Probability of success is no longer 100 %.

Good defence methods: Do not use individual words from the dictionary or names, objects or the like. Also, only use the same password for one account and not for several.

3. hybrid brute force attack

The Hybrid Brute Force Attack is a combination of the Simple Brute Force Attack and the Dictionary Attack.

This involves taking a word from the Simple Brute Force and combining it with potential numbers that are often used, such as a year of birth or wedding date. This drastically limits the number of potential attempts and thus simplifies the attack process.

Credit: Matthias Held

Advantage: This method has the same advantage as the Dictionary Brute Force, only here the number of attempts is increased and extended by a high number of attempts with the simple addition of characters such as smileys in text form or years(Maga2020 is a famous example).
Disadvantage: The probability of success is no longer 100 %, as with Dictionary Brute Force.

Good defence methods: Avoid using data or numbers that are important to you in passwords.

4. reverse brute force attack or password spraying

Attackers try to combine a password with different user names. The user name varies, but the password remains the same.

Credit: Matthias Held

Advantage: As described above, people tend to reuse their passwords and use the most memorable ones possible. This also applies to this type of attack. In addition, you can use it to bypass a lock-out (login lock for the account) if too many attempts are made on the same user account.

Disadvantage: This method can lead to many accesses, but perhaps not to the accounts you want.

Good defence methods: As standard lists for user accounts are usually used here too (insofar as these cannot be read ), it is advisable to choose a hard-to-guess user name with many alphanumeric characters and special characters, as with the password.

5. credential stuffing

Data from past breaches (see Dictionary Attack, point 2) also plays a role here. Credential stuffing does nothing other than reuse the login data from existing breaches.

So, for example, if you have entered the username somewhere on a website or an app
the username [email protected] and the password Cola123
somewhere on a website or app and this data has been obtained through a breach, attackers will use it to log in to other services and applications.

Credit: Matthias Held

This attack has a very high chance of success and is becoming increasingly popular. It is therefore currently one of the most dangerous.

You can check whether one of your accounts has already been breached on the website haveibeenpwned.com.

Raidboxes and breaches

When a new user account is created, Raidboxes checks whether the password has ever been breached (anonymously and untraceably).

Advantage: The fact that people are creatures of habit also comes into play here. Most people use the same email address and password for many services. This also prevents accounts from being locked out, as is the case with reverse brute force.

Disadvantage: With this attack, you have to find out beforehand whether the person whose account you want to access also uses the service/website/app. However, if you simply want access at all, it is a very successful method.

Good defence methods: Never use the same login details more than once. Keep them unique everywhere you register.

How do I protect my WordPress website from brute force attacks?

I often read and hear the advice: “Just use secure passwords.”

This may be true in principle, but with enough time and resources, any login combination can be cracked via brute force if no other protective measures are used.

These attacks also mean avoidable load on your server – and this not only harms the loading time of your website, but also your wallet if your host charges according to traffic.

The best method is still to prevent these attacks in the first place and block access completely.

At server level

Measure 1: Block unauthorised requests to your login form

No matter how secure a login combination you use, it would take a lot of time, computing power and no further protection to crack it.
The most efficient way is actually to create protection that completely blocks any unauthorised request to your WordPress login form. This prevents automated and manual attacks from getting through in the first place. Ultimately, this also protects your server.

There are several options for this. Not every option is suitable, this depends on how technically savvy you are and how many setting options you have with regard to your DNS and server settings.

Tip: Create IP Allow List

Protection: ๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’
Technical effort: ๐Ÿ› ๏ธ๐Ÿ› ๏ธ๐Ÿ› ๏ธ

If you always access the Internet with the same IP address, for example because you have your own VPN or a fixed IP in your agency, the safest method is to create an allow list for this IP on the /wp-admin and /wp-login.


If your web server runs on Apache, add this part to your .htaccess:

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$

RewriteRule ^(.*)$ – [R=403,L]

Important: Note that in the lines containing REMOTE_ADDR, you only need to replace the NUMBERS with the respective numbers of your IP.
For example, if your IP is, the line should read:

RewriteCond %{REMOTE_ADDR} !^95\.217\.228\.176$

Add a separate line for each permitted IP address. Then restart your Apache service so that the changes are applied.


Add this snippet to your server block of the virtual host file. Again, you must add an allow line for each permitted IP address.

location = /wp-login.php {

allow; #IP address 1 one line for each permitted IP address

allow; #IP address 2

deny all;

include snippets/fastcgi-php.conf;

fastcgi_pass unix:/run/php/php7.4-fpm.sock;


Restart your nginx service so that the changes are applied.

Tip: Use a CDN firewall

Protection: ๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’
Technical effort: ๐Ÿ› ๏ธ

CDNs can offer very good protection by configuring the firewall so that it activates a Captcha query before the login form.
Here is a tutorial for Cloudflare. You can create up to 5 rules in the free Cloudflare plan.

1. log in to your Cloudflare dashboard, go to Firewall and create a new firewall rule.

2. the data of the rule are:

That was it already.

Tip: Create blocklist via Fail2Ban

Protection: ๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’
Technical effort: ๐Ÿ› ๏ธ๐Ÿ› ๏ธ๐Ÿ› ๏ธ๐Ÿ› ๏ธ

If you don’t have a fixed IP and don’t use a CDN, you can create a blocklist via Fail2Ban. You can find good tutorials here:

Please note, however, that you have to adapt this specifically to the /wp-login URL.

Tip: Use Raidboxes Dashboard

Protection: ๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’
Technical effort: ๐Ÿ› ๏ธ

In combination with a secure username and password and Raidboxes Single Sign On.

Raidboxes customers already have a configurable anti-brute force module on each of their instances.
Together with Single Sign On, this is one of the highest security settings you can have, without any technical effort.

In WordPress itself

If you have followed these steps, you are very well protected against attacks.
However, if you are unable to apply these solution(s) because you may not have access to your server settings or DNS records for setting up a CDN, I have a few other steps for you here.

Measure 2: Prevent username enumeration

Before we look at secure passwords, let’s start at the beginning: with usernames.

Usernames account for 50 per cent of access – and WordPress unfortunately makes it very easy to read the user (login) name for all accounts created with admin rights. And this is automated. You can prevent this by either doing it yourself and securing your WordPress – or by installing the following plugins.

Tip: Solution via plugins

Protection: ๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’
Technical effort: ๐Ÿ› ๏ธ

Plugin 1: Unified Login Error Messages
This plugin suppresses the output of different error messages in the event of incorrect login attempts. This is because WordPress currently issues a different error message if a user name exists or does not exist. This makes it easy to recognise whether the entered user exists.

Plugin 2: Stop User Enumeration
Stop User Enumeration does exactly what it says: It blocks unauthorised requests to your WordPress, for example to read out user names via the author archive.

Tip: Solution via functions.php

Protection: ๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’
Technical effort: ๐Ÿ› ๏ธ๐Ÿ› ๏ธ

If you prefer to take control yourself, you can adjust the functions.php of your active theme (please make a backup beforehand).

Add the following code:

PHP Code

// If the user is not authenticated as an admin
if (!is_admin()) {
// RegEx to check if the request went to an โ€œ/author=INTโ€ endpoint
if (preg_match(‘/author=([0-9]*)/i’, $_SERVER[‘QUERY_STRING’])) die();ย  ย  add_filter(‘redirect_canonical’, ‘stop_user_enum’, 10, 2);
function stop_user_enum($redirect, $request) {
// // RegEx to check if the the request went to an โ€œ/author=INTโ€ endpoint but with the permalink furl format
if (preg_match(‘/\?author=([0-9]*)(\/*)/i’, $request)) die(); else return $redirect;

Tip: Use Raidboxes Dashboard

Protection: ๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’
Technical effort: ๐Ÿ› ๏ธ

Raidboxes customers benefit from ready-made solutions in the Raidboxes dashboard. There is nothing more to do than to set them up.

Measure 3: “Just use secure passwords”

Note: At Raidboxes, when registering a new account, we ask for things that make brute force queries much more difficult. This includes:

  • Specified minimum length
  • Complexity
  • whether the password can be found in the dictionary (English or German)
  • whether it contains a date
  • whether it has ever been in a known password breach (anonymous and untraceable)

Passwords are deficient because they can be guessed (brute force), read (key logger etc), read (due to no or poor encryption/storage in data storage), only recognise the authorisation of an end device but not the identity of the person behind it and are usually difficult to remember (if they are “secure”).

For the latter problem, there are password managers such as 1Password, BitWarden, KeePass and more.

When we are in the WordPress environment, we have to accept the fact that we have to use passwords.

So what is a “secure” password?

A secure password is a long password that has a certain degree of complexity.

Yes, password length is more important than complexity. An 8-character password can be guessed for 25$USD within 12 minutes, even if it consists of lots of special characters, upper and lower case letters and numbers.

The following GIF illustrates very well why length is more important than complexity:

Credit: Intel Security // Intel.com

Hackers also have no desire to invest a lot of money or time in intensive calculations for long passwords. So the rule of thumb is: the longer your password, the better!

But long and complex passwords are hard to remember!

That’s true, but in times of password managers we only need to remember one long and complex password and let these managers create and save the rest.

If we have this one password and, ideally, change it from time to time, we are on the safe side.

Here’s an open secret on how to create long, complex passwords and remember them straight away:

Credit: xkcd.com

This means we can take this XKCD comic strip to heart and create a long password according to one of the following patterns:

Train seat + field path – 7 eye blink

Or we use whole sentences with a little extra complexity:


We have created a relatively meaningless sentence with special characters and a number, which is very difficult to guess and yet memorable (plus points for the rhyme). This is also called a passphrase.

Many password managers, such as BitWarden, create such memorable but complex passphrases for you.

Addition: Use a secure user name

As mentioned above: 50 per cent of your access is the user name.

If an attacker knows this part of the access, then half the job is done. All that remains is the password. So don’t use usernames like admin, administrator or your name, don’t use the name of the website or the domain or anything to do with the site itself.


If your site is called www.ireallylovecats.com, don’t use a name that has anything to do with cats.

Better yet, take the same password trick from above and use a long sentence and add complexity like asphalt/can/also/with/7/spice.

Create password at Raidboxes

Create a password and username with the maximum length (in WordPress currently 60 characters for the username and 64 characters for the password, see Database Properties) and lots of letters, numbers and special characters โ€“ then simply use the single sign-on in the dashboard. Secure login with a single click.

Measure 4: Security plugins

Tip: All-rounder plugins

Protection: ๐Ÿ”’๐Ÿ”’๐Ÿ”’๐Ÿ”’

Technical effort: ๐Ÿ› ๏ธ๐Ÿ› ๏ธ to ๐Ÿ› ๏ธ๐Ÿ› ๏ธ๐Ÿ› ๏ธ

There are a lot of WordPress security plugins on the market, for example:

All of these security plugins offer in-built brute force protection and much more. For most WordPress websites, the installation and maintenance of these plugins will suffice as protection. The configuration and maintenance is also minimal.

Nevertheless, plugins have a (in most cases small) disadvantage: the load on the server due to brute force cannot be reduced by such plugins. These plugins require a PHP process to check whether the access is valid and whether the IP is not on the blocklist

All this puts a load on the server per request. Of course, this is still less than a login attempt itself – and until the server is really affected, the attack has to take on almost D/DOS dimensions – but it should not be ignored.

But back to the many advantages of the plugins: If they are always kept up to date, new types of attacks are quickly recognised and mitigated without you having to do anything yourself.

Tip: Hide WP login

Protection: ๐Ÿ”’

Technical effort: ๐Ÿ› ๏ธ

“Security through obscurity” is a phrase often used in security to describe this method.

Ultimately, this means trying to prevent attacks by simply disguising a problem. This works well in a few cases, as brute force attacks do not go via the login form, but use query parameters to start the login attempts.

Just because the standard URL such as /wp-admin or /wp-login.* is not accessible, these attacks will not stop.


I hope I was able to explain the different types of brute force attacks and give you tips on how to protect your WordPress against them in the future. If you have any further questions, we look forward to your comment!

Matthias Held avatar

Share on social media

Matthias Held avatar

Leave a Reply

Your email address will not be published. Required fields are marked *