Brute force attacks are exactly what they sound like: automated scripts that repeatedly try different username and password combinations until they find one that works. WordPress is a particularly common target because the login page is always at the same predictable URL - yoursite.ca/wp-admin or yoursite.ca/wp-login.php - and the most common username is "admin."
The good news is that defending against brute force attacks is not difficult. A few layered measures will stop the vast majority of these attacks in their tracks.
What a Brute Force Attack Looks Like
You may not even know you are being attacked. Bots typically probe login pages quietly, making many requests over time to avoid triggering simple rate limits. Signs of an ongoing attack can include:
- Sluggish site performance (bots hammering the login page consume server resources)
- Unusual entries in your error logs
- Security plugin alerts about failed login attempts
Step 1: Change the Default Login URL
By default, every WordPress site is accessible at /wp-admin and /wp-login.php. Bots know this and target these URLs automatically. Changing your login URL to something non-standard means most automated bots never even find the login page.
Plugins like WPS Hide Login (free) or Solid Security let you set a custom login URL - for example, yoursite.ca/dashboard-login or yoursite.ca/team-access. The original URL will return a 404 error to anyone who tries to access it.
Important: Write down your new login URL and save it somewhere accessible before you activate this change. If you forget it, you can recover it through your hosting file manager, but it is inconvenient.
Step 2: Limit Login Attempts
Even if a bot does find your login page, you can shut down brute force attempts by limiting how many failed login attempts are allowed from a single IP address before it gets temporarily blocked.
WordPress does not do this by default - a bot can try thousands of passwords without restriction unless you add this protection.
Limit Login Attempts Reloaded is a free plugin that does exactly this. After a configurable number of failed attempts (the default is four), the IP address is locked out for a period of time. After several lockouts, the IP can be banned entirely.
Wordfence also includes this functionality as part of its firewall.
Step 3: Use Strong, Unique Passwords
This sounds obvious but it is worth stating plainly: weak passwords are the reason brute force attacks succeed. If your password is "password123" or "admin2024", no amount of login page hardening will fully protect you.
Every WordPress admin account should have a password that is:
- At least 16 characters long
- A random mix of letters, numbers, and symbols, or a long passphrase
- Unique - not used for any other service
WordPress includes a built-in password generator under Users → Profile. Use it. A password manager like Bitwarden (free) or 1Password makes managing unique passwords for every service straightforward.
Step 4: Disable Login Error Hints
By default, WordPress is quite helpful when a login fails - perhaps too helpful. It will tell you specifically whether the username was wrong or the password was wrong. This helps an attacker confirm valid usernames.
You can disable this behaviour by adding a small snippet to your theme's functions.php file (or better, a child theme):
add_filter( 'login_errors', function() {
return 'Invalid username or password.';
});
This returns a generic message regardless of which field was incorrect, giving attackers no information to work with.
Step 5: Add Two-Factor Authentication to WordPress Logins
Even if an attacker does get the correct username and password - through a data breach, phishing, or password reuse - two-factor authentication (2FA) prevents them from logging in without the second factor.
Both Wordfence and Solid Security offer WordPress 2FA as part of their free plans. Users get a QR code to scan with Google Authenticator or Authy, and from that point on, logging in requires the code from their phone in addition to the password.
Enable 2FA for all administrator accounts at minimum.
Putting It Together
These measures work best in combination:
- Non-standard login URL - bots never find the page
- Login attempt limits - bots that do find it get locked out quickly
- Strong passwords - brute force attempts fail even if they get through
- Disabled error hints - attackers get no feedback to refine their attempts
- Two-factor authentication - even correct credentials are not enough
Layered security is the most effective approach. No single measure is foolproof, but together these steps make a brute force attack on your WordPress site extremely unlikely to succeed.
