◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Security → Backup Manually
The Complete Guide to WordPress Brute Force Protection
WordPress brute force protection is one of the most important defenses you can put in place for your site. According to Wordfence’s published threat data, the company blocks hundreds of millions of malicious login attempts and other attacks against WordPress sites every day across its protected network. Attack volume has only grown as botnets have become cheaper to operate and the tools used to automate them have become more sophisticated.
This guide walks through what a brute-force attack is, why WordPress sites are such common targets, and the layered approach you can take to make your site one of the harder ones to compromise. You’ll find practical steps you can take today, and we’ll cover how Kadence Security fits into the workflow for site owners who want to handle this with a single, dedicated tool.
Get fast, reliable hosting for WordPress
Power your site with the industry’s fastest, most optimized WordPress hosting
What is a brute force attack?
A brute force attack is one of the simplest hacking techniques in existence. An attacker tries to log in to your site by guessing usernames and passwords, over and over again, until they hit a combination that works. The ‘force’ comes from volume. Modern botnets can make thousands of attempts per second across millions of sites simultaneously, so even unlikely password combinations are eventually tried.
A few variants of the attack are worth knowing about:
- Standard brute force. The attacker tries every possible combination of characters for a password. This works against short or simple passwords and gets exponentially harder as the password length increases.
- Dictionary attack. The attacker tries known common passwords (password123, admin2024, welcome1) and known dictionary words. This is faster than pure brute force.
- Credential stuffing. The attacker uses real username-password combinations leaked from other data breaches, betting that people reuse passwords across sites. This is now one of the most common attack types because it sidesteps password strength entirely.
In 2023, Wordfence blocked more than 100 billion credential stuffing attempts from over 74 million unique IP addresses.
The common thread across all three is that the attacks are automated and cheap to run. The attacker doesn’t need to know anything about your site. They just need it to exist and be reachable on the internet.
Why WordPress sites are a target
WordPress powers more than 42% of all websites globally, making it the largest single target for automated attacks.
Nearly every WordPress site shares the same file structure, login URL, and many of the same plugins. This is what lets attackers run the same automated attack against millions of sites at once.
A few specifics make WordPress particularly attractive to brute force attackers:
- The login URL is predictable. Every default WordPress install puts the login page at /wp-login.php. Bots know exactly where to find it.
- WordPress allows unlimited login attempts by default. Without a plugin or server-level rate limiting, there’s nothing stopping an attacker from making thousands of guesses in a row.
- XML-RPC amplifies the attack. WordPress’s XML-RPC interface (at /xmlrpc.php) includes a function called system.multicall that lets attackers bundle hundreds of login attempts into a single HTTP request. This makes brute-force attacks much faster and harder to detect with standard rate-limiting.
When an attacker succeeds, the compromised WordPress sites are typically used to spread malware, send spam, host phishing pages, mine cryptocurrency on your server, or attack other sites in turn.
According to the Patchstack State of WordPress Security in 2026 report, malware on an infected site often rewrites itself even after cleanup, making it much harder to fix.
How to protect your WordPress site from brute force attacks
Strong WordPress brute-force protection comes from layering several defenses. No single measure is bulletproof on its own, but the combination makes your site significantly more expensive for an attacker to crack.
Use strong, unique passwords
The most effective thing you can do is use a long, random password for every WordPress user account on your site. A 16-character random password takes effectively forever to brute force. A short dictionary word like password or admin2024 can be guessed in less than a second.
The practical rule:
- At least 16 characters.
- A mix of uppercase, lowercase, numbers, and symbols.
- Unique to your WordPress site (not reused from any other account).
- Stored in a password manager rather than in a notes app or on paper.
This applies to every user account on your site, including editors and authors. Editor and author accounts are also compromised, and once an attacker has a foothold, they can often escalate from there.
Enable two-factor authentication
Two-factor authentication (2FA) adds a second layer that an attacker can’t guess.
The Patchstack 2026 report and other industry data show that 2FA adoption considerably reduces unauthorized login attempts, partly because most attackers detect 2FA and move on to easier targets.
Kadence Security includes 2FA as part of the plugin itself, which is worth flagging because the alternative is usually stitching together three or four single-purpose tools (one for 2FA, another for login limits, another for the firewall). Having all of that in one place isn’t just less work to set up. It also means when something does go wrong, you’ve only got one set of logs and one set of settings to look at, rather than trying to figure out which tool did what.
If you only do one thing from this guide, enable 2FA on every administrator account. It’s the highest-impact protection available.
Limit login attempts
By default, WordPress lets anyone make as many login attempts as they want from any IP address. Which is exactly the behavior brute force hackers depend on.
Limiting login attempts breaks this. After a small number of failed attempts (typically three to five), the IP address is temporarily blocked from logging in for a set period. The attacker can either wait or move on, and most of them move on.
A good login limit setup includes:
- A low threshold for failed attempts (three to five is standard).
- A lockout period long enough to make the attack uneconomical (15 to 30 minutes minimum).
- Automatic permanent bans for IPs that keep hitting the limit after multiple lockouts.
- Optional CAPTCHA challenges for suspected bots.
Kadence Security handles all of this automatically, but the principle applies regardless of which tool you use.
Hide your WordPress login page
Bots know that almost every WordPress site has its login at /wp-login.php. Moving the login URL to something custom (like /secret-portal-login) takes most automated attacks out of the equation entirely. The bots scanning for wp-login.php simply get a 404 and move on.
This is sometimes called ‘security through obscurity,’ and on its own, it isn’t enough. A determined attacker who knows your site specifically can still find the new URL. But for the automated, scattershot attacks that make up the vast majority of brute force traffic, hiding the login page is one of the highest-effort-to-impact wins available.
Disable XML-RPC if you don’t need it
XML-RPC is a legacy WordPress feature that lets external applications interact with your site. It was useful in the early days of mobile apps and remote publishing, but it’s been largely replaced by the WordPress REST API.
The problem with XML-RPC is that its system.multicall function lets attackers bundle hundreds of login attempts into a single request, sidestepping standard rate limiting. If you’re not using Jetpack, the WordPress mobile app, or another tool that specifically needs XML-RPC, disabling it removes an entire attack vector.
You can disable XML-RPC with a security plugin like Kadence Security, with a one-line filter in your theme’s functions.php file, or at the server level through your hosting control panel.
Use a web application firewall
A web application firewall (WAF) sits in front of your WordPress site and filters traffic before it reaches your server. Malicious requests are blocked at the edge, so brute-force attempts never even reach your login page.
There are two main types of these:
- Cloud-based WAFs sit between your site and the internet. Traffic flows through the WAF’s servers first, where known attack patterns are blocked before they ever reach your origin server.
- Plugin-based WAFs run inside WordPress itself. They block malicious traffic at the application layer, so it still reaches your server but not your login page.
Cloud-based WAFs are generally more effective against high-volume brute-force attacks because they absorb the traffic load. Plugin-based WAFs are easier to set up and don’t require any DNS changes. Many sites use both: a cloud WAF for the heavy lifting and a plugin like Kadence Security for the application-layer protections.
Choose hosting that’s built for WordPress security
Most successful WordPress attacks start with weaknesses below the application layer: outdated server software, weak SSH credentials, badly configured file permissions, or shared hosting environments where one compromised site can spread to its neighbors.
Managed WordPress hosting handles the infrastructure layer for you. The server is hardened, software is kept up to date, and brute-force protection is typically enforced at the network level before traffic even reaches your WordPress installation.
Monitor login activity and respond fast
The most overlooked part of brute force protection is monitoring. Even with strong passwords, 2FA, and rate limiting in place, you want to know when an attack is happening, because the patterns often tell you something.
A spike in failed login attempts from a single country might indicate a targeted attack. A slow trickle of attempts spread across thousands of IPs is the signature of a distributed botnet probe. Either way, you want the information before it becomes a problem.
What to monitor:
- Failed login attempts (volume and source).
- New admin user creation.
- File changes in the WordPress core, themes, and plugins.
- Unusual outbound traffic from your server.
Kadence Security’s security dashboard shows this kind of activity in one place, with alerts when something out of the ordinary happens.
How Kadence Security handles brute force protection
If you’d rather not stitch together half a dozen separate tools, Kadence Security covers most of the layered WordPress brute force protection above by default. It’s available on the Kadence Pro and Elite plans and includes the brute force protections you’d otherwise need multiple plugins to assemble:
- Real-time firewall with automatic rule updates that block known attack patterns before they reach your login page.
- Two-factor authentication is built into the core plugin, with support for authenticator apps and other 2FA methods.
- Brute force protection that limits failed login attempts and blocks repeat offenders automatically.
- Patchstack virtual patching that protects against plugin and theme vulnerabilities even before official patches are released, drawing on the same vulnerability intelligence database Patchstack uses for major hosting providers.
- File change detection that flags unexpected modifications to your WordPress core, themes, or plugins.
- A security dashboard that surfaces threat activity and lets you respond from one place.
For most WordPress sites, the combination of Kadence Security and managed WordPress hosting at the infrastructure layer is sufficient to close the door on the vast majority of brute-force attempts. Brute force attacks are still happening, but they’re hitting blocks they can’t get past.
Make brute force protection a baseline part of your setup
Brute-force attacks aren’t sophisticated, but that’s exactly what makes them so common and persistent. Attackers don’t need to outsmart your security; they just need to keep guessing until they get lucky. The way you make them unlucky is by prepping the right defenses so that even if one layer fails, the next one won’t.
Liquid Web has been leading the industry in WordPress hosting for decades. And if you select managed WordPress hosting, our team of experts will manage server IT for you — so you can focus on growing your brand.
Click below to explore options or start a chat with one of our WordPress hosting experts now to get answers to your questions and further guidance.
Additional resources
Comprehensive guide to securing WordPress with ModSecurity
→
This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.
The 15 Top Critical Security Threats and How to Fix Them →
Here are the 15 most common types of Internet security issues or web security problems and some relevant steps you can take to protect yourself, your data, and your business.
Why security matters for WordPress enterprise hosting
→
Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.