Save your WordPress site from brute force attacks

Category: Intermediate

A brute force attack, in theory, is a cryptographic attack on any encrypted data which systematically checks for each combination a pre defined search space. Basically, it involves attempts to login to a system using a combination of a username and all possible passwords.

In the case of WordPress, how does it work? A malicious program trying to access your site would try to login using one of the probable usernames (like admin or administrator), and try to get access by generating the billions of probable password combinations. If it gets a click, the program gets access to your administrator account and you would probably not want to imagine the havoc that would cause.

You should remember that making anything totally hack-proof is not possible, no matter how careful you are. However, there are steps that you can take to make sure anyone trying to hack your site would have a really hard time.

1. Change your ‘admin’ username:

By default, the username that a hacker would use is admin because that is the default username and perhaps almost everyone uses it. That is where you can beat the hacker by using a username that is difficult to guess.

You must have tried to change the default username for the admin and failed because WordPress doesn’t allow that, showing a message ‘Usernames cannot be changed’ beside your username in your profile page. However, there is a way you can change it. For that, you either do through PhpMyAdmin, or do it through the MySQL shell.

Login to PhpMyAdmin using your MySQL username and password. Select your wordpress database. In my case, it is wordpress.

Then select the default users table, which is wp_users in my case. Then, edit the entry corresponding to the admin entry in the table, as shown below.

You will then be able to edit the entry in the next view. Change the value of user_login to a desired value. This would act as your new admin username.

Press ‘Go’ to save the entry. You will get a confirmation as show below.

You can then login through your new username.

Alternately, you can start the MySQL console or shell and run the following commands if you do not have access to PhpMyAdmin.

To start: mysql -u <username> -p -D <database_name>

You would be prompted for a password for the username. Enter it.

To make sure there is an admin entry: SELECT * FROM wp_users WHERE user_login = ‘admin’;

If you one row, you are good to go.

To change the username: UPDATE wp_users SET user_login = ‘<new_username>’ WHERE user_login = ‘admin’;

That’s it! You have successfully changed the username.

Note that you should change the username to something that is not easy to guess. It would make these brute force attacks exponentially hard to perform.

2. Use a strong password:

A brute force attack tries to emulate all words in a dictionary, adding numbers to them as well. Statistics show that the most common password used by people around the world is ‘password’ itself. One way to make detection hard is by using a strong password with a combination of small and capital letters, numbers and symbols. Try to use eleet and convert letters to symbols- “captain” becomes “[email protected]@!n” for instance. The more complex your password is, the longer the time it would take to crack it.

You can check how secure your password is by visiting Note that their estimate is based on a Personal Computer. Hackers would be using a much stronger server, or a string of servers with parallel computing. The time that they would require would be tens, if not hundreds, of times less than a PC.

3. Keep Periodic Backups:

You never know how someone gets entry into your site in spite of your precautions. Your web hosting service might be compromised, or a keylogger might have leaked your password while you were typing it, so it’s always good to prepare for the worst.

Keep backups of your posts regularly. To do so, go to Tools > Export to export your content. Select ‘All content’ from the choices and click ‘Download Export File’ to download the exported content

Mark these xml files properly and keep them in a safe place in case of emergency.

4. Limit Login Attempts:

There is a plugin for WordPress which would limit the number of login attempts in your WordPress site. You can either search for it in Plugins > Add New or visit the plugin page on the WordPress website.

Activate the plugin after installation.

It would give you four incorrect login attempts from the same IP address. In case, you have no attempts remaining, you get locked out for twenty minutes.

Although smart hackers have access to tens of thousands of IP addresses during a brute force attack, this can at least prevent them from having an easy path.

5. Limit access to your wp-login.php file:

This remains a very smart way to shoo away hackers from ever logging into your site. You can limit access to the wp-login.php file, which is responsible for logging you into the WordPress Admin area in the first place. If your server doesn’t allow any other IP to even access it, there is no question of logging in and brute force attacks at all!

To limit the access, the basic process that we follow is to deny access from all IP addresses in the first step, and then add your specific IP addresses to the whitelist.

You need to modify your .htaccess file, and add the following. Alternately, you can create a .htaccess file in your WordPress directory.

<Files (path to wp-login.php)>
order deny,allow
Deny from all

# whitelist IP Address 1
allow from

#whitelist IP Address 2
allow from

That would ensure that wp-login.php would be accessible to only those IP addresses which you have whitelisted.

The one catch of blocking IP addressed this way is if you have dynamic IP addresses (for example, if you use an internet dongle). However, most LAN connections provide you with static IPs and you can modify the .htaccess file and prevent unnecessary access to your most important file(s).

As I mentioned at the very beginning, it’s not completely possible to make your site hack proof, but if you follow these steps, you would be one step ahead of the hackers and keep your data relatively safe.

Further Reading:

I understand you might not be too enthusiastic about securing your site. Why should you bother? Who will hack you and what will someone gain by doing so? Here is a story of a author, Mat Honan, whose digital life was completely erased by hackers. He initially suspected a brute force attack, but one of the hackers contacted him and explained the hacking. He eventually gained most of the data back and here’s how. Hope you change your views on digital security after reading that.

Author Bio

Shaumik Daityari

Shaumik is an optimist, but one who carries an umbrella. An undergrad at IIT Roorkee, he loves writing, when he's not busy creating some awesome stuff. Find him on and Twitter.

Leave a reply

Appointment Booking Plugin for Wordpress