How to Protect Your WordPress from Brute Force Attack


As website owners, to protect WordPress from brute force attacks is absolutely necessary.

Brute force attacks involve malicious actors attempting to gain unauthorized access to your WordPress admin area by systematically trying different username and password combinations.

That’s why people incorporate security plugins. But before exploring the plugins that protect your website from Brute Fore Attacks, let’s find out what Brute Fore Attack is.

What is a Brute Force Attack?

A brute-force attack is a method used by malicious hackers to get the username and password from their victims. This method can be explained in a simple and fairly easy to understand way, but can be very difficult to protect against.

A brute Force Attack is the simplest kind of method to gain access to a site: it launches multiple login attempts by trying usernames and passwords, over and over again, until it gets in.

It will force a login by using the specified dictionary which usually consists of a collection of password & username that is often used by users.

It will keep trying until it matches the username and password used so that the login attempt is done successfully.

This technique is widely used in the 90s, but it is still effective even now. 

A study conducted by Sucuri, one of the leading internet security firms, revealed quite a surprising fact. This attack happens quite a lot on the WordPress website.


Brute-Force attack precentage today

Brute-Force attack percentage today

How to Protect Your WordPress from Brute Force Attack?

So how to protect your WordPress from this attack? Fortunately, there are a few plugins that are able to block this attack. In this article, I will provide a review of some anti-brute-force attack plugins, which is pretty good to protect your website.

5 Best Brute Force Attack WordPress Plugins

You can install these plugins to your WordPress website to enhance protection against brute force attacks.

1. Keyy Two Factor Authentication (like Clef)

brute force attack - keyy two factor authentification

Keyy revolutionizes the concept of 2-factor authentication by replacing traditional passwords with advanced RSA public-key cryptography, providing enhanced security and a superior user experience.

Keyy eliminates the need for typing:

  • Usernames
  • Passwords
  • One-time passwords or other 2FA tokens

Instead, users can effortlessly log in using their mobile phones. It’s incredibly convenient!

Here’s how it works:

  • Install the Keyy app on your Android or iOS (iPhone/iPad/iPod) device.
  • Secure the app with either a fingerprint or a 4-digit PIN.
  • To log in, simply open the app and scan the code displayed on the screen.

With Keyy, you gain one-click access to all your WordPress websites simultaneously.

brute force attack - keyy two factor authentification app

Keyy on Android

Keyy utilizes RSA public-key cryptography, the same technology trusted by secure websites (SSL). It employs a robust 2048-bit RSA digital key generated and stored on the user’s mobile phone.

To ensure independence from third parties, Keyy does not rely on a central database. The digital key is safeguarded within the secure confines of the Android Keystore or Apple Keychain, accessible only via the user’s mobile device protected by a fingerprint scan or a 6-digit PIN.

Therefore, even if the phone is lost or stolen, data remains secure.

By eliminating the use of passwords, Keyy effectively guards against various common password-stealing techniques, including brute force attacks.

2. hCaptcha for WordPress

brute force attack - hcaptcha

Previously, we had discussed how to protect WordPress from brute force attacks by customizing WordPress login page without plugins.

But there is an easier alternative for that. hCaptcha serves as a convenient alternative to reCAPTCHA, prioritizing user privacy above all else.


brute force attack - hcaptcha login page

hCaptcha login page

If you’re seeking a solution to combat brute-force bots effectively, hCaptcha offers robust protection against spam and abuse while respecting user privacy.

With hCaptcha Free, websites have the opportunity to earn rewards while simultaneously preventing bots and various forms of abuse, requiring users to verify their humanity.

By default, this plugin ensures:

  • No covert user tracking
  • No storage of personal user data in the database
  • No transmission of data to external servers
  • No use of cookies
  • This plugin is a product of community development, and your contributions in the form of Pull Requests (PRs) are warmly welcomed.

3. Custom Login

brute force attack - custom login

This plugin has a feature that had been popular on a “Stealth Login” plugin which is obsolete now. Similar to the previous plugin, Custom Login will modify a WordPress login page, but this one can change the URL.

By making the login URL more obscure, a brute-force engine can’t attack your site just for having your website domain.

Besides the stealth login feature, this site also has 2 step authentication extension. Similar to Keyy, with this plugin you have to authenticate by using another measure, usually a phone.

This plugin also lets you modify the plugin theme. Now you can make the login page to be more beautiful.

brute force attack custom login feature

4. Jetpack Protect

Jetpack Protect, a must-have WordPress security plugin, is available for free and serves as an essential tool for safeguarding your website. With its user-friendly interface, setting up Jetpack Protect only requires a few simple clicks.

Over the course of a website, Jetpack blocks an average of 5,193 WordPress brute force attacks. It shields your site from both conventional brute force attacks and distributed brute force attacks.

brute force attack - jetpack protect attack blocked

This plugin also promptly identifies vulnerabilities and ensures that your site remains one step ahead of potential security threats.

Jetpack Protect conducts daily scans of your site and delivers alerts regarding the following aspects:

  • The version of WordPress currently installed, along with any associated vulnerabilities.
  • The installed plugins and any vulnerabilities associated with them.
  • The installed themes and any vulnerabilities linked to them.

Site vulnerabilities represent weaknesses in a website’s code that compromise its overall security. In many cases, these vulnerabilities are unintentionally introduced to a site through various means.

Some common avenues through which vulnerabilities can be introduced to a site include:

  • Poorly written code specific to the website.
  • Bugs within plugins and themes.
  • Bugs associated with the version of WordPress being used.
  • Misconfigurations within the system.

brute force attack - jetpack protect

5. iThemes Security

brute force attack - ithemes security

iThemes Security WordPress Plugin


If you feel the plugins above are still not enough and you need a more powerful level of security, then you can use iTheme Security.

This plugin is extremely powerful. Novice users will simply be overwhelmed in using it. But if you feel geek enough, then this plugin is for you. This plugin has a dozen options that you can use to strengthen your WordPress security.

It will try to detect the vulnerabilities that may be present in your WordPress installation and gives you the option to fix it.

One of the very useful features of this plugin is to limit the number of unsuccessful login attempts (Brute-Force attacks).


brute force attack - itheme security wordpress plugin

iThemes Security WordPress Plugin


End Notes: Security Best Practices?

As the old saying goes, “Prevention is better than a cure”. Understanding and implementing security best practices are things that are absolutely necessary, in order to maintain the security of your website.

Use strong passwords, never entrust your password to anyone or anything and always perform periodic backups are a must.

Need to consult for WordPress Security? Discuss with our team of WordPress Developer. With a decade of experience, Tonjoo knows the best practice to make your WordPress Website keep up to date with the latest security challenge.

Updated on May 23, 2023 by Hanif Mufid


No comments entry.


Lets Work Together!

Create your ideal website with us.