Protect your Wordpress from Brute Force Attacks

A Brute Force attack uses a variety of different usernames and passwords to gain access to your WordPress admin area. These types of attack can impact heavily on the server's memory, causing significant performance problems. Worse still, if spammers do gain access to your site then they can cause all manner of damage.

Here, we've listed a few tips to help you avoid falling victim to Brute Force attacks:

1. Change your default admin username
Unfortunately, there is no way to change the WordPress username in the WordPress admin area, however, this can be changed in the database through phpMyAdmin:

  • In cPanel go to "Databases" > "phpMyAdmin".

Once you've gained access, follow these steps:
1. Enter your login details and go to the WordPress database in the left hand table.
2. Select the table "wp_users" and hit "edit".
3. Enter a new username into the "wp_user" row, and click "GO"

2. Change your default newinstall password

You can change the WordPress password in the WordPress admin area under Edit My Profile. It is always best to use a password generator to generate a secure password.

Limit login attempts

All WordPress sites come with the 'Limit Login Attempts' plugin installed by default, all you need to do is log into the WordPress admin area and activate the plugin by navigating to Plugins > Installed Plugins.

Limit access to wp-admin by IP

To limit access to the wp-admin directory by IP, log into your Control Panel and navigate to the .htaccess file, under the public_html directory and add the following code at the top of the .htaccess file:

<Files wp-admin.php>
order deny,allow
deny from all
allow from

Password-protect wp-login.php

To password-protect your wp-login.php file you will need to create a .htpasswds file and add some code to the .htaccess file.
1. Log into the control panel and navigate to the File Manager.

2. Click on the public_html directory and then create a new file and call this .htpasswds.

3. Use the htpasswd generator to create a user name and password to access the wp-login.php file.

4. Copy and paste the code from the htpasswd generator into the .htpasswds file.

5. Then create the code for the .htaccess file here, and paste the code into the .htaccess file under the public_html directory.
  • 1021 Users Found This Useful
Was this answer helpful?

Related Articles

How to Harden PHP in WHM/cPanel Servers

PHP exploits are responsible for the vast majority of compromised servers. OverviewThis document...

What is a DDoS attack?

DDoS attacks are an attempt by a malicious party to overload systems and networks with malicious...

How to check if your Linux server is under DDOS Attack?

Login to your server as root and fire the following command, using  which you can check if your...

Do you provide DDoS protection? How does it work?

We provide inbound DDoS filtering options for all our services where stated.DDoS Protection is...

How do I block an IP address in my Linux Server?

If you want to block an IP to access your linux server, you will need to login to the shell as...