How to Protect Your Website from Brute Force Attacks

A brute force attack is when an automated bot tries thousands of username and password combinations against your login page until it finds one that works. These attacks are extremely common and target WordPress, cPanel, FTP, and email accounts.

Server-Level Protection at dotCanada

dotCanada's servers use fail2ban, which automatically detects repeated failed login attempts and temporarily bans the offending IP addresses at the firewall level. This stops most brute force attacks before they even reach your site.

WordPress-Specific Protection

For WordPress sites, your best tool is the Wordfence Security plugin, which offers:

• Login attempt limiting (locks out IPs after a set number of failures)
• CAPTCHA on the login page
• Notifications for suspicious login activity
• The ability to block entire countries if needed

Additional Best Practices

• Use a strong, unique password - brute force attacks rely on weak or common passwords.
• Enable two-factor authentication (2FA) in cPanel - even a successful brute force of your password won't grant access without the 2FA code.
• Change your WordPress login URL - plugins like WPS Hide Login move /wp-admin to a custom URL, so bots can't even find your login page.
• Limit login attempts in your WordPress security plugin settings.
• Disable XML-RPC if you don't use it - it's a common target for brute force attacks.

If you're seeing a large volume of failed login attempts, contact our support team and we can help investigate and implement additional protections.