Tsohost Knowledge Base

How to protect against a Wordpress Brute Force Attack

Modified Thursday 25th June, 2015 at 10:14

Was this helpful?

A Brute Force attack uses a variety of different usernames and passwords to gain access to your WordPress admin area. These types of attack can impact heavily on the server's memory, causing significant performance problems. Worse still, if spammers do gain access to your site then they can cause all manner of damage.

Here, we've listed a few tips to help you avoid falling victim to Brute Force attacks: 

1. Change your default admin username

Unfortunately, there is no way to change the WordPress username in the WordPress admin area, however, this can be changed in the database through phpMyAdmin. There's two different ways of accessing the phpMyAdmin section, depending on your hosting platform:

  • Cloud users: log into your Control Panel and go to Manage Website > MySQL Databases > phpMyAdmin.
  • cPanel users: log into your Control Panel and go to "Databases" > "phpMyAdmin".

Once you've gained access, follow these steps:

1. Enter your login details and go to the WordPress database in the left hand table.

2. Select the table "wp_users" and hit "edit".

3. Enter a new username into the "wp_user" row, and click "GO"

2. Change your default newinstall password

You can change the WordPress password in the WordPress admin area under Edit My Profile. It is always best to use a password generator to generate a secure password.

Limit login attempts

All WordPress sites come with the 'Limit Login Attempts' plugin installed by default, all you need to do is log into the WordPress admin area and activate the plugin by navigating to Plugins > Installed Plugins.

Limit access to wp-admin by IP

To limit access to the wp-admin directory by IP, log into your Control Panel and navigate to the .htaccess file, under the public_html directory and add the following code at the top of the .htaccess file:

<Files wp-admin.php>

order deny,allow

deny from all

allow from xx.xxx.xx.xx


Password-protect wp-login.php

To password-protect your wp-login.php file you will need to create a .htpasswds file and add some code to the .htaccess file.

1. Log into the control panel and navigate to the File Manager.

2. Click on the public_html directory and then  create a new file and call this .htpasswds.

3. Use the htpasswd generator to create a user name and password to access the wp-login.php file.

4. Copy and paste the code from the htpasswd generator into the .htpasswds file.

5. Then create the code for the .htaccess file here, and paste the code into the .htaccess file under the public_html directory.

wordpressbrute forceloginsecurity

Still can't find what you're looking for?

That's not a problem. Our 24/7 customer support team are friendly and waiting to help answer your questions. The easiest way to get in touch is to raise a support ticket; simply click the button below.

Open Support Ticket