Search our site for answers
Help Docs Content Management Systems (CMS) WordPress Overview Mitigating Common WordPress Brute Force Attacks

Mitigating Common WordPress Brute Force Attacks

Dealing with attacks on your WordPress site? Find solutions to quickly mitigate these attacks.
Security WooCommerce WordPress
5 min read

WordPress is a popular platform, which unfortunately makes it a common target for brute force attacks. These attacks can slow down your website, compromise its security, and disrupt your online presence. Two frequent types of brute force attacks are:

  • wp-login brute force attacks: Attackers try repeatedly to guess your username and password to break into your site.
  • xmlrpc.php attacks: Hackers exploit the xmlrpc.php file—a WordPress feature for remote access—to flood your site with thousands of login attempts, overwhelming your server.

If you’re dealing with one of these attacks, this introductory guide will help you secure your WordPress site. We’ll cover three effective methods to mitigate these threats. While we’ll touch lightly on cPanel, these solutions also apply to Plesk and Interworx control panels.

Brute-force Solutions overview

For the best protection, we recommend combining these approaches:

  • WordPress Plugins: Simple tools to limit login attempts or block vulnerable files.
  • .htaccess Restrictions: Restrict access to sensitive files like wp-login.php and xmlrpc.php to trusted IPs only.
  • CSF Firewall: Block abusive IPs attempting excessive failed logins.

Let’s dive into each method with step-by-step instructions.

Using WordPress Plugins

Plugins are an easy, beginner-friendly way to add security without needing to modify server settings.

Note

While we list these plugins as potential options, we do not fully support or endorse them. Your mileage may vary when using them.

  • Limit Login Attempts Reloaded: Caps the number of login tries from a single IP.
  • Wordfence: Offers firewall protection, malware scanning, and login security features.
  • Sucuri: Provides a web application firewall and additional hardening options.

Steps to Install and Configure:

  1. Log in to your WordPress dashboard.
  2. Go to Plugins > Add New.
  3. Search for a plugin (e.g., “Limit Login Attempts Reloaded”).
  4. Click Install Now, then Activate.
  5. Visit the plugin’s settings page or follow its setup wizard to enable features like login attempt limits or xmlrpc.php blocking.

Pros: Quick to set up, no technical skills needed.
Cons: May not fully stop attacks if your server is heavily targeted. Not fully supported by our support team.

Restricting Access via .htaccess

The .htaccess file lets you control access to specific files on your Apache server. You can block wp-login.php and xmlrpc.php for everyone except trusted IP addresses (an allow list).

Steps to Implement

  1. Access your server via SSH or your control panel’s file manager (found in cPanel, Plesk, or Interworx).
  2. Locate your WordPress root directory (often /home/<username>/public_html/ or a subdomain folder).
  3. Open or create the .htaccess file there.
  4. Add this code to restrict access, replacing <your-ip> with your public IP address (find it at ip.liquidweb.com):

.htaccess:

<Files wp-login.php>
    Order Deny,Allow
    Deny from all
    Allow from <your-ip>
</Files>

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    Allow from <your-ip>
</Files>
  1. Modify the “allow from” lines to include your own IP address (and the IP address of any other users that need to log into the wp-admin section of your site) to prevent getting locked out of your site. If you use any external services that need access to these locations, be sure to add those as well.
  2. Save the file and test your site.
Note

To allow multiple IPs (e.g., for additional admins), add more Allow from <ip> lines.

  • Pros: Fast to set up, effective for users with static IPs.
  • Cons: Less flexible if you log in from different locations or have a dynamic IP.

Blocking Abusive IPs with CSF Firewall

ConfigServer Security & Firewall (CSF) is a robust tool to block IPs based on failed login attempts. It’s commonly pre-installed on our fully managed servers. Blocking an IP address here will prevent that IP from accessing any services running on your server.

IP addresses can be blocked from accessing your server by logging into WHM and navigating to the ConfigServer Security & Firewall section. From there, enter the IP you wish to block in the “Quick Deny” section.

Alternatively, IP addresses can be added to the CSF deny list via command line with the following command (replace 1.2.3.4 with the IP you wish to block):

csf -d 1.2.3.4

Additional Security Tips

  • Update Regularly: Keep WordPress, themes, and plugins up to date to fix security holes.
  • Strong Passwords: Use complex, unique passwords for all accounts, especially admins.
  • Two-Factor Authentication (2FA): Add an extra login step with a plugin like “Two Factor Authentication.”

To secure your WordPress site against brute force attacks, try this layered approach:

  1. Install a plugin like Limit Login Attempts Reloaded for instant, user-friendly protection.
  2. Use .htaccess to lock down wp-login.php and xmlrpc.php if you have a fixed IP.
  3. Set up CSF Firewall for advanced, server-wide defense.

Combining these methods with regular updates and strong passwords will keep your site safe. If you need help implementing these steps, Liquid Web’s support team is here to assist you 24/7!

Was this article helpful?