Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

WordPress Brute Force Attacks, and What You Need to Do About it

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Several major sources have confirmed that there are mass brute force attacks being targeted towards WordPress and Joomla sites as we are speaking right now. HostGator, InMotion Hosting, LiquidWeb, and many others have informed their customers regarding this issue. The hackers botnet contains over 90,000 different IPs, and they are preying on WordPress beginners who are making some very common mistakes. Yes, this all sounds scary, so here is what you need to do to decrease your chances of being hacked.

1. Stop using the admin username

Often beginners use very common usernames such as admin, administrator, test, root etc. Our friends over at Sucuri reported those usernames are being heavily targeted right now. If you have a generic WordPress username such as admin, then you should change it right now.

We have an easy to follow tutorial that will show you how to change your username in WordPress.

2. Use a strong password

Please, please, please use a very strong password. These brute force attack tries to target all the most common passwords that people use. A strong password contains uppercase and lowercase letters, numbers, and symbols. Do not use the same password at more than one location. It is never too late to start using a password management solution like 1Password or LastPass.

3. Keep Good Backups

The best security you can have for your website is a great backup solution. We are using VaultPress which is a monthly service. However, if you don’t like to pay monthly, then we highly recommend that you get BackupBuddy.

Please keep good backups of your site because most hosting companies do not.

4. Use Two Factor Authentication

Start using two-factor authentication. This way even if someone guesses your password, they can’t access your site because they don’t have the security code. We highly recommend that you do this right now.

5. Password Protect WP-Admin and Limit Login Attempts

We always recommend our users to limit login attempts. However, this alone cannot protect all the attacks because this botnet contains 90,000 IPs. Another thing you can do is password protect your WP-admin directory. You can also limit your wp-login.php file to a specific IP.

6. Start using Sucuri

If you are not using Sucuri, then we highly recommend that you start using Sucuri. They are always on top of things, and there is no one else we would trust more when it comes to our WordPress security. See 5 reasons why we use Sucuri.

We are not sure what is the end goal for these attacks, but whatever it is we would hate to see our users fall prey to this. Please keep your sites up to date, and follow all the tips above.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

14 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Janet says

    I am working at securing sites for my clients, and need to password-protect their wp-admin folder. I am having a problem and hope someone can help. When I go to cPanel to pw-protect that folder, I get an error about Frontpage Extensions being installed, which prevents pw-protecting. When I go to uninstalled the extensions, I get this message:

    Warning: Installing or uninstalling FrontPage extensions will result in the loss of all “.htaccess” files. Any changes you have made to your “.htaccess” files will be lost.

    If I made a .htacess backup as instructed on this page , would that be enough?

    Thanks for your help and all your VERY helpful information!

  3. Sarah B R says

    I followed your guidelines for two steps authentication and it worked fine the first time a few days ago.
    I wanted to log in today and went to the app on my phone and the wordpress account I had added is nowhere to be found. So now I can’t log in.
    Thanks for the help.

  4. Edwin Lynch says

    I use WP Better Security. It’s free, does nearly everything Sucuri does except promote affiliate marketing spam :)

  5. Jane says

    How do you know when you’ve been Brute-Force attacked? My client has been having issues with his WP site recently, so I’m wondering if this has to do with it.

  6. Jennifer says

    I have a site that is currently getting hit with a brute force attack. It is RELENTLESS. The site uses SUCURI (thank goodness!) and they have already done one clean-up for us.

    Thank you, Syed & team, for all of the great information. I just added the two factor authentication and will put the rest of your suggestions in place ASAP.

  7. Esther says

    Thank you for the link to the free video, I just started my WP site yesterday, after running a Blogger site, and it is, kicking, my, butt! I am fairly tech savvy, so I have no idea what my problem is, only that I have one! lol

  8. Keith Davis says

    Hi guys
    Read the article over on the Sucuri website – I’m with those guys and I use a few other security measures.

    Just given you a callout on #WordPress

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.