Guide to WordPress Brute Force Protection (+4 Best Plugins)

Brute force attacks happen when hackers try to access your site files by constantly trying new passwords. If they succeed, they could steal your private data, add malware, or even take down your website completely.

Fortunately, you can easily prevent these brute force attacks. By simply updating your login information or enabling two-factor authentication, you can make it harder for hackers to enter your website. Another effective method is to install a brute force protection plugin like Jetpack.

In this post, we’ll explain what brute force attacks are and how you can prevent them. Then, we’ll recommend the best plugins for brute force protection. 

What is a brute force attack?

Brute force attacks happen when hackers use trial and error to access your website. This usually involves guessing your login information using automated software. Essentially, hackers will try many different passwords and username combinations until they find yours.

Other forms of hacking usually exploit vulnerabilities on your WordPress website. For instance, hackers can access your data through out-of-date software, plugins, or themes. Even an old PHP version can leave your site vulnerable.

On the other hand, brute force attacks rely on weak login credentials. If you have a guessable password like “123456,” hackers can use automated software to enter your site.

Brute force attacks are more common than you might think. In fact, they’re becoming more of a threat than ever before. Towards the end of 2021, the rate of brute force attacks increased by 160 percent.

If your website suffers from a brute force attack, hackers can:

  • Steal your private data
  • Add malware to your site
  • Decrease your credibility and/or search rankings
  • Remove your content completely

Needless to say, you’ll want to protect your website against these dangers. Although the default WordPress settings don’t offer extra protection against brute force attacks, you can take some steps to prevent them from happening.

How to block brute force attacks on WordPress

Now that you know about brute force attacks, let’s discuss how to protect your WordPress website from them. 

Step 1: Update your username

Since brute force attacks involve guessing login information, you can secure your WordPress website by updating your credentials. First, you should consider choosing a unique username.

In older versions of WordPress, the default username was “admin.” Now, new account holders can choose their usernames when they first log in. But you might need to update your username if you have an older account.

To see what your current username is, open your WordPress dashboard. Then, navigate to Users → Profile. You’ll find your username under the Name section.

viewing your username in WordPress

If you already have a unique username, skip to the next steps. If you see admin as your username, you’ll likely want to change it. Unfortunately, you won’t be able to directly edit your profile in the dashboard.

One of the simplest ways to change your WordPress username is to create a new user. Then, you can assign it a unique username and give it the same administrative privileges. The only downside of this method is that you’ll have to use a new email address.

First, go to Users → Add New. On this page, create a new username and enter your email address. Be sure to set the user role as Administrator.

creating a new user in WordPress

If you want to use the same email address, you can simply add a plus sign with additional letters after the username. For instance, if your normal email address is “exampleemail@gmail.com”, you can use “exampleemail+wordpress@gmail.com.” WordPress will consider this a new email address, but it will use the same inbox.

Next, you’ll need to log out of WordPress and use the new username to log back in. Then, go to the All Users page and click delete underneath the admin user role.

During the deletion process, you’ll need to move its content to the new username. To do this, select Attribute all content to [new username]. This is a critical step — otherwise your content will be deleted.

attributing content to a new user

Finally, click on Confirm Deletion. If you want to start using the same email address assigned to the admin username, you can update that now. 

If you want to change your existing username, you’ll need to do this through your WordPress database. Note that making changes to the database can be dangerous, so it’s best to do this if you already have experience in this area. To change your username, take the following steps:

  1. Click on the phpMyAdmin tool in the cpanel of your hosting provider. The exact location can vary based on your host.
  2. Click on your WordPress site’s database in the left-hand panel. This will open up your database tables.
  3. Click on the wp_users table. The prefix “wp_” is set by default, but your host may have changed it to something else. For example, the table may be called “janb_users.” 
  4. Find the username you want to change on the right side — in this case, “Admin” — and click Edit.
  5. In the user_login field, type whatever new username you’d like to set.
  6. Click the Go button.

Now, you can log in with the new username! 

Step 2: Use a strong password

Another way to protect your site against brute force attacks is to use a strong password. Since hackers use botnets (robot networks) to randomly guess passwords, it can help to have a one with a unique string of numbers and letters.

These are the characteristics of a strong password:

  • It has between ten and 50 characters
  • It uses uppercase and lowercase letters
  • It uses numbers and special characters
  • It’s unique from passwords used for other accounts or websites

To update your WordPress password, navigate to Users → Profile. Then, scroll down to Account Management.

Next, click on Set New Password. Once you do this, WordPress will automatically generate a strong password for you. This will be a complex credential that’s hard to guess.

generating a new password in WordPress

You can use this password or create your own. As you type, WordPress will indicate how strong or weak your new password is.

weak password notice

To make sure your new password is secure and random, you can use a password generator. This tool can automatically create a password with uppercase and lowercase letters, as well as numbers and symbols.

After pasting your new password into the text box, scroll to the bottom of the page. Click on Update Profile to save your changes. For maximum protection against brute force attacks, consider changing your WordPress password every four months. 

Step 3: Add two-factor authentication

When you log in to your WordPress site with just a password, this is called single-step authentication. You can also implement two-step, or two-factor, authentication.

With two-step authentication, you’ll provide two forms of verification to log in to your site. You’ll still enter your password, but you must also confirm your identity on your phone or another device.

Jetpack makes it easy to add secure authentication to your website. First, install and activate Jetpack in WordPress. Then, in the Jetpack dashboard, click on Manage security settings.

Scroll to the bottom of the page and find the WordPress.com login section. Here, turn on Require accounts to use WordPress.com Two-Step Authentication.

turning on two-factor authentication in WordPress

Then, find the Two-Step Authentication page in the Security tab. You can choose to set up your two-factor authentication with an app or SMS.

setting up two-factor authentication

If you choose the first option, you’ll need to download an app like Google Authenticator (iPhone | Android). WordPress will provide a QR code, which you can scan with the app and then enter the generated code.

QR code for two-factor authentication

When you click Set up using SMS, you’ll have to enter your phone number. Once you verify the code sent to your phone, you can start using two-factor authentication.

setting up two-factor authentication via text

Now you can verify your identity every time you log in to WordPress! This setup can offer increased protection against brute force attacks.

Step 4: Install a brute force attack protection plugin

After taking some basic steps to protect your login page, you can also benefit from installing a brute force protection plugin. The right tool can automatically block brute force attacks before they impact your site.

As you’re trying to choose the best plugin for brute force protection, you should keep a few factors in mind. To protect your website, you’ll want to find a plugin that works behind the scenes to prevent and stop brute force attacks.

Here are some basic features you should look for in a brute force protection plugin:

  • Limited login attempts
  • Two-factor authentication
  • A firewall
  • IP address blocklisting

Additionally, many brute force protection plugins provide general security for your website. For example, Jetpack Security not only prevents brute force attacks but performs malware scans, creates automatic backups, and screens for spam.

Jetpack is also one of the easiest brute force protection plugins to configure. After installing and activating Jetpack, you can turn on Brute force protection in the dashboard.

turning on brute force attack protection in WordPress

With this one click, you can enable Jetpack to prevent brute force attacks!

The four best WordPress plugins for brute force attack protection

Installing a plugin can be the most effective way to prevent brute force attacks. Still, you might not know which option is right for your website. Although there are many brute force protection plugins, four stand out as the best! 

1. Jetpack

Jetpack homepage image

When you download Jetpack, you can access brute force attack protection and many other security features. Jetpack also offers performance and growth tools, so you can choose a plan that’s perfect for your needs. 

If brute force attack protection is all you need, the great news is that it’s completely free!

Key features of Jetpack’s brute force attack protection:

  • One-click activation
  • Allowed IPs
  • The ability to see the number of blocked attacks
  • Two-factor authentication

Pros:

  • If you’re accidentally locked out of your login page due to Jetpack’s protection measures, you can send a special login link to your email address.
  • Jetpack compares each new IP address to its global database of malicious addresses.
  • With Jetpack, you can also access extended security measures, like downtime monitoring, site backups, and malware scans.

Cons:

  • Jetpack requires you to connect to a WordPress.com account. 
  • If your server is misconfigured, it may not return an IP address, which can disable the brute force protection feature.

Ease of use:

With Jetpack, you can implement brute force attack prevention in a single step. After installation, just visit the main Jetpack dashboard to turn on the feature. Then, you can simply allow Jetpack to do the work without any maintenance.

Pricing:

Any WordPress user can start using brute force protection for free with Jetpack. 

2. Sucuri

Sucuri homepage hero image

Sucuri is a tool specializing in website monitoring, protection, and performance. By implementing a Web Application Firewall (WAF), Sucuri can block brute force attacks on your website. 

Key features:

  • Web Application Firewall (WAF)
  • Limits login attempts
  • Automated tools to block bots
  • Allowlisting
  • Two-factor authentication, CAPTCHA, and passcodes

Pros:

  • Sucuri includes geo-blocking so that you can block all visitors from specific IP ranges. This feature can prevent brute force attacks from certain countries.
  • Sucuri’s firewall sanitizes traffic before it even reaches your WordPress website.

Cons:

  • The free version of Sucuri does not provide brute force prevention. To access a WAF, you’ll need to purchase a subscription. 
  • Although Sucuri is an effective option for brute force attack prevention, it’s expensive. There are other free plugins with similar features.

Ease of use:

Compared to other plugins, Sucuri has a more complicated setup process. To start using Sucuri, you’ll need to purchase a plan and set up a firewall. This involves integrating your cPanel account and manually changing your DNS records.

Pricing:

With Sucuri, brute force protection requires a premium plan. This feature comes with all of its subscription options, which start at $199.99 per year.

3. Wordfence Security

Wordfence plugin homepage

Wordfence Security is a plugin that provides a firewall and security scanner all in one. This tool offers many forms of login security, including two-factor authentication, allowlisted IP addresses, and reCAPTCHA keys. 

Key features:

  • Limits login attempts
  • Records successful and failed login attempts
  • Continually updated IP blocklist
  • Manual blocking tools
  • Two-factor authentication and reCAPTCHA 

Pros:

  • Since it comes with a Web Application Firewall, Wordfence can identify and block malicious traffic on your site.
  • If any administrative passwords are compromised, you can block any logins from that user.
  • Wordfence performs scheduled security scans every three days when you’re using the free version.

Cons:

  • For the free version of Wordfence, the generated data is delayed by 30 days. To receive real-time threat intelligence, you’ll have to upgrade to a paid plan.
  • The free plugin also doesn’t let you manually schedule scanning.

Ease of use:

Wordfence provides a very simple setup process for first-time users. After installing and activating the free plugin, it will prompt you to enter an email address where Wordfence can send alerts. Then, you can add brute force protection by implementing a firewall and login security features.

Pricing:

Even the free version of Wordfence Security comes with built-in brute force protection for unlimited sites. If you need advanced support, you can purchase a premium plan. These start at $99 per year.

4. iThemes Security

iThemes security hero image

iThemes Security ensures that you can start protecting your website from brute force attacks in under ten minutes. With this plugin, you can quickly customize your login page with two-factor authentication and password requirements. Plus, iThemes will automatically add your site to its Brute Force Protection Network.

Key features:

  • Maximum login attempts for both hosts and users
  • Local and network brute force protection
  • Graphs of recent brute force attacks
  • The ability to set password requirements for all users
  • Two-factor authentication

Pros:

  • One of the main benefits of iThemes Security is its Brute Force Protection Network. It records suspicious activity across one million different websites, identifying malicious IPs.
  • You can set a maximum number of login attempts for your website, which can prevent automated login guessing.

Cons:

  • If you want to add extra security features to your login page, like a reCAPTCHA field, you’ll need to purchase the premium plugin.
  • The free plugin does not include real-time security reports.

Ease of use:

After installation, the iThemes plugin will take you through a step-by-step setup process. Here, you can enable both local and network brute force protection. You can also choose to add two-factor authentication for extra security.

Pricing:

iThemes Security is a free WordPress plugin. If you’d like to use the real-time security dashboard, you can purchase the premium version, starting at $80 per year.

Comparison of the top plugins that block brute force attacks

JetpackSucuriWordfence SecurityiThemes Security
Limit login attemptsYesYesYesYes
Two-factor authenticationYesYesYesYes
Real-time reportsYesYesYes, with premium extensionYes, with premium extension
IP blockingYesYesYesYes
reCAPTCHAYesYesYesYes, with premium extension
Network brute force protectionYesNoNoYes
Ease of useOne-step activationRequires manually changing DNS recordsSimple tabs for managing your firewall, scans, and login securitySetup wizard to configure login security and user groups
PriceFree$199.99-$499.99 per yearFree-$950 per yearFree-$199 per year

Frequently asked questions (FAQs)

Now that you know all about brute force attacks and how to prevent them, let’s answer some questions!

How much does brute force protection cost in WordPress?

Brute force protection can be free if you download a brute force protection plugin like Jetpack. Other providers like Sucuri require a paid subscription.

How can I set up brute force attack protection in WordPress?

Setting up brute force protection will vary based on the provider you choose. Some options require you to configure a firewall, which can be complicated. Alternatively, Jetpack is a plugin that makes this process simple. After activation, you can turn on brute force protection with just one setting. 

What else can I do to secure my WordPress site?

There are many general security measures you can take to protect your website. First, consider performing consistent updates for the core software, themes, and plugins. You can also keep your data secure by backing up your website.

Another simple security measure is blocking spam. It’s also a good idea to delete unused plugins and monitor your site activity. Finally, make sure you regularly scan for malware and take immediate action if anything is found. 

Secure your website against brute force attacks

Without the right protection, your website can fall prey to brute force attacks. Fortunately, a brute force protection plugin is a simple addition to your site. With the right security measures, you can stop hackers from stealing your data.

To review, here’s how to implement brute force attack protection in WordPress:

  1. Update your username.
  2. Use a strong password.
  3. Add two-factor authentication.
  4. Install a brute force attack protection plugin like Jetpack.

After following these steps, you’ll be able to keep your information private and secure! Then, it’s just a matter of keeping your software up to date, backing up your files, and monitoring your website for spam and suspicious activity. 

This entry was posted in Security. Bookmark the permalink.

Simon Keating profile
Simon Keating

Simon has worked in marketing and product development for over 10 years, previously at HubSpot, Workday, and now Automattic (Jetpack). He has a varied education, with a degree in chemical engineering and a masters in computer science to his name. His passion is helping people and their businesses grow.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 60% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 111,110 other followers
  • Browse by Topic

  • %d bloggers like this: