If you are not investing time into making sure you are protected from hackers – you may lose – and lose big. Brute force attacks in WordPress are on the rise and below are some easy and free ways to limit your chances of being hacked.
What Is A Brute Force Attack?
Brute force attacks are basically attempts to access your WordPress login page by guessing your username and password. Brute force attacks are normally done via automated tools which means multiple repeated attempts can be done which will result in your server being overloaded and your risk of being hacked increased.
Imagine someone standing at your garage door and just repeatedly trying to access your garage door opener code over and over and over again – until it opens. That is basically what these hackers are doing – and they will not stop until you take action to stop them!
If they are successful in getting in they will do major damage which can include:
- Installing malware
- Steal user information
- Delete your site completely
- Redirect your pages to other websites
- ….and stuff I probably do not even know about yet!
Sometimes you will not even know you have been hacked for a while – and by then you can see major issues with your rank and traffic.
Hopefully the below will help you get some basic protections in place that do not cost anything – but can help limit your accessibility.
How To Prevent A Brute Force Attack On My WordPress Site?
There are actually many ways you can deter the hackers – some cost money – others need more technical knowledge – but I have tried to keep this post to a basic level of things you can do that are free and easy to keep your site safer than it may be right now!
- Wordfence (free version is fine) – I am providing recommended settings for single user websites as well as multi user websites.
- Disable XML-RPC
- Hide your login
1. Suggested Wordfence Settings
The settings you use will vary based on the type of website you have – there is no one size fits all. Below I am providing settings for a single person website with only 1 administrative user and then settings for a multi-administrative user.
General WordFence Settings
- Hide WordPress version – checked
- Disable code execution for uploads directory – checked
Email Alert Preferences
This is a personal choice, but the only emails you absolutely definitely need to receive are the following – so make sure these 2 are checked. The rest I usually leave unchecked.
- Alert me when there’s a large increase in attacks detected on my site
- Alert me with scan results of this severity level or greater – set to HIGH
Brute Force Protection – Single User
The screenshot below shows the settings I personally use on my own single administrator website. I have also written them out if the screenshot is a little hard to see!
- Enable bruce force protection
- Lock out after how many login failures: 2
- Lock out after how many forgot password attempts: 2
- Count failures over what time period: 5 minutes
- Amount of time a user is locked out: 2 months
- Check immediately lock out invalid usernames and then enter common usernames in the box – I added admin and 2dogsdesign – both are attempted quite often but are not valid usernames.
- Prevent the use of passwords leaked in data breaches – checked – but this is more critical for multi user websites.
- Enforcing strong passwords – checked – but also more helpful to multi user websites
- Don’t let WordPress reveal valid users in login errors – checked
- Prevent users registering admin username if it does not exist – checked
- Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps – checked
- Block IPs who send POST requests with blank User-Agent and Referer – should be checked (I do not have it checked here because I used code to make this feature happen – but you DO want it checked!
- Check password strength on profile update – checked
- Participate in the Real-Time Wordfence Security Network – optional

Multi-user Wordfence settings recommendations
When you have multiple users that login you will need to loosen restrictions a bit since many people do really forget their passwords and try to login multiple times.
Below are “suggested” settings for multi-user WordPress websites – but you may need to adjust as needed if you are getting users complaining about being locked out too much.
- Enable bruce force protection
- Lock out after how many login failures: 5
- Lock out after how many forgot password attempts: 10
- Count failures over what time period: 1 hour
- Amount of time a user is locked out: 1 days
- Uncheck immediately lock out invalid usernames but still enter common usernames in the box – I added admin and 2dogsdesign – both are attempted quite often but are not valid usernames.
- Prevent the use of passwords leaked in data breaches – checked – but this is more critical for multi user websites.
- Enforcing strong passwords – checked – but also more helpful to multi user websites
- Don’t let WordPress reveal valid users in login errors – checked
- Prevent users registering admin username if it does not exist – checked
- Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps – checked
- Block IPs who send POST requests with blank User-Agent and Referer – should be checked (I do not have it checked here because I used code to make this feature happen – but you DO want it checked!
- Check password strength on profile update – checked
- Participate in the Real-Time Wordfence Security Network – optional
Curious about what invalid usernames people are using to try and login into your website? In Wordfence you can go to FIREWALL then look in the LOGIN ATTEMPTS area and then click the FAILED button.
Below you can see on my own site the hackers are working the username “jill-caren” pretty hard – but that is not a username on my website so I will want to add that to my settings above to auto block anyone who tries to gain access with that username.

You can also visit FIREWALL in Wordfence and then click the BLOCKING tab to see exactly who has been blocked from the website as well as their IP and attempts that were made.
2. Disable XML-RPC
Many of you may not even know this feature exists! But in WordPress there is a file called xmlrpc.php which allows access to your website via an API – usually used by developers for custom applications.
But the downside to this file is that it tends to lure in hackers as an opportunity to attack. If you know for sure you are not using this file (and most are not) – I highly recommend you disable it.
Here are a few options for disabling XML-RPC:
- In Wordfence go to LOGIN SECURITY then click the SETTINGS tab. Scroll down to the disable XML-RPC authentication option and check the box to disable it then save your changes.
- Add the following code snippet to your .htaccess file
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
You can make sure it is working by adding xmlrpc.php after your URL – and if it is disabled you should see a FORBIDDEN error.
You can view our own URL to see it not working: https://www.2dogsdesign.com/xmlrpc.php/
3. Change WordPress Login URL
Because the WordPress login page is the most common source of hack attempts – changing the URL is one of the easiest ways to deter them from even trying. If they cannot find the login URL – they cannot make their attack!
There is a plugin called WPS Hide Login that allows you to easily change your login url to anything you want. The steps are simple:
- Install the plugin
- Go to SETTINGS > WPS HIDE LOGIN
- Scroll to the WPS HIDE LOGIN section
- In the login url box enter the name you want of your login page – make this VERY unique so it cannot be guessed!
When you login to your website after changing the URL it will still go to wp-admin and that is OK!
So instead of 2dogsdesign.com/wp-admin – based on my settings below I can go to 2dogsdesign.com/mynewlogin to access my admin area.
MAKE SURE YOU SAVE YOUR NEW URL IN YOUR BOOKMARKS!
Yes, I already have had a few people forget where their new admin page was so I had to deactivate the plugin from the server to get back the original admin area.

Final Thoughts
I know this stuff is not fun, but it is necessary – and I would do this before adding any new content or doing SEO or any other “to do’s” you have going on!
If you need help or just want another set of eyes to check out how you are doing and address any loose ends – just contact me and I will be glad to help!
There are other options to even further protect your website that I will add in another post for those that are really motivated!
Questions? Bark at me!
Nice article. I really think it’s about time WordPress came out with some sort of brute force protection in the default installation. There is another approach that is worth trying which is where the devices that you login with are remembered. This is how the big social media sites operate. It has its pros and cons but I like it. You can try https://wordpress.org/plugins/guardgiant/ amongst others.
Agreed on making it default! Thanks for sharing the link to the plugin – I will have to take a look at that one since I have never heard of it.