Tutorials

How to Stop Brute Force Attacks on WordPress: Complete Protection Guide

Protect your WordPress site from brute force attacks with these proven security measures. Step-by-step guide to implementing complete login protection.

S
Sarah Chen
9 min read
29 views
WordPress brute force protection configuration

Defending Against Brute Force Attacks

Brute force attacks are relentless—automated bots never sleep and never give up. Without protection, your WordPress login is under constant assault. This guide provides a comprehensive strategy for stopping brute force attacks using multiple layers of defense.

Layer 1: Limit Login Attempts

The most critical protection: stop unlimited login attempts.

Configure Login Limiting

  1. Go to Folder Shield > Settings > Login Security
  2. Enable "Limit Login Attempts"
  3. Set "Max Login Attempts" (recommended: 5)
  4. Set "Lockout Duration" (recommended: 30 minutes)

How It Works

  • After 5 failed attempts, IP is locked out for 30 minutes
  • Legitimate users can try again after lockout expires
  • Attackers can't continue their password guessing

Layer 2: Progressive Lockouts

Persistent attackers face increasing penalties.

Auto-Block Feature

  • After repeated lockouts (10 by default), IP is blocked for 24 hours
  • Effectively permanent ban for that attack session
  • Can be configured in Settings > Login Security

Layer 3: Two-Factor Authentication

The ultimate defense: even correct passwords aren't enough.

Enable 2FA

  1. Go to Folder Shield > Settings > Login Security
  2. Enable "Two-Factor Authentication"
  3. Require for Administrators (at minimum)
  4. Each user sets up via their profile

Why 2FA Stops Brute Force

Even if attackers guess the password, they need the time-based code from your phone. Brute forcing 2FA codes is impractical—codes change every 30 seconds.

Layer 4: Custom Login URL

Hide your login page from bots entirely.

Change Login URL

  1. Go to Folder Shield > Settings > Login Security
  2. Enable "Custom Login URL"
  3. Enter a unique slug (e.g., "my-secret-login")
  4. Save changes

Results

  • wp-login.php returns 404
  • wp-admin redirects to 404 for non-logged users
  • Bots can't find your login page
  • Brute force attacks drop by 99%

Layer 5: Username Protection

Don't let attackers discover valid usernames.

Block User Enumeration

  • Enable "Block Author Enumeration" in Settings
  • Enable "REST API Protection" to block /wp/v2/users
  • Use generic login error messages

Why It Matters

Attackers need both username and password. If they can't confirm usernames exist, attacks are less targeted and efficient.

Layer 6: Google reCAPTCHA

Verify visitors are human, not bots.

Add reCAPTCHA to Login

  1. Get reCAPTCHA keys from Google
  2. Go to Folder Shield > Settings > Login Security
  3. Enter Site Key and Secret Key
  4. Enable for login form

reCAPTCHA v2 vs v3

  • v2: "I'm not a robot" checkbox
  • v3: Invisible, score-based (recommended)

Layer 7: Threat Intelligence

Block known attackers before they try.

Enable Threat Intelligence

  1. Go to Folder Shield > Threat Intelligence
  2. Enable the feature
  3. Click "Sync Now"

Benefits

  • 50,000+ known malicious IPs blocked automatically
  • IPs flagged for brute force across network
  • Updates every 6 hours
  • Zero-day protection from collective intelligence

Layer 8: Strong Password Policy

Make passwords harder to guess.

Password Requirements

  • Minimum 12 characters
  • Uppercase and lowercase letters
  • Numbers and symbols
  • No dictionary words
  • Unique to this site

Use a Password Manager

Generate and store strong, unique passwords for every site.

Monitoring and Response

Review Security Logs

Regularly check Folder Shield > Security Logs for:

  • Failed login patterns
  • Blocked IPs
  • Unusual activity

Set Up Email Alerts

Configure alerts for:

  • Multiple failed logins
  • New device logins
  • Lockout events

Protection Checklist

  • ☐ Login attempts limited (5 attempts, 30 min lockout)
  • ☐ Auto-blocking enabled (24 hour block after 10 lockouts)
  • ☐ 2FA enabled for all admins
  • ☐ Custom login URL configured
  • ☐ User enumeration blocked
  • ☐ reCAPTCHA on login form
  • ☐ Threat Intelligence enabled
  • ☐ Strong passwords required
  • ☐ Email alerts configured

Conclusion

Stopping brute force attacks requires multiple layers of protection. Any single measure can be bypassed or circumvented, but together they create formidable defenses. WP Folder Shield provides all these layers in one integrated solution. Implement the full stack and your WordPress login becomes essentially impervious to brute force attacks.

Share:
S
Written by Sarah Chen

WP Folder Shield Team

Related Articles

The Ultimate Guide to WordPress Security in 2026
The Ultimate Guide to WordPress Security in 2026

Learn how to protect your WordPress website from hackers, malware, and security threats with this...

January 15, 2026
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content

Learn effective methods to scan your WordPress site for hidden SEO spam, malicious links, and...

January 13, 2026
How to Protect Your WordPress Uploads Folder from Malware
How to Protect Your WordPress Uploads Folder from Malware

The wp-content/uploads folder is one of the most vulnerable directories in WordPress. Learn how to...

January 13, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started