Home » Tutorial » Block Brute-Force Attacks against WordPress

Block Brute-Force Attacks against WordPress

hand types on keyboard in the dark


WordPress is a Content Management System (CMS) and blogging software which allows one to publish content in the internet. Many web pages in the internet are built on the popular WordPress software.

WordPress consists mainly in HTML and PHP Code and stores its data in a SQL database like MySQL or MariaDB.

Like all other IT systems WordPress based web pages can be under attack by hackers. Basically any computer or device in the whole internet can start an attack to a public web page. There are different kinds of attacks but one very often used approach to try to get access to an IT system is password guessing. The technical term for password guessing is brute-force attack.

The strategy of the attackers is to try a lot of different passwords over and over again. After a short analysis of the WordPress page the active users are identified by the attacker. If an active user account is identified, a lot of passwords are tried out. These attacks are done automatically by scripts.

If weak and short password are used for our WordPress page they could be easily guessed. That’s why always use super long and super strong password consisting in numbers, lowercase letters, capital letters and symbols. 16 position or longer passwords are recommended.

The problem of these attacks is that they are often undetected. The password guessing can take days, weeks or months and nothing prevents this if WordPress is not protected.

A good piece of software which protects us from these kind of attacks is “GuardGiant Brute Force Protection”. It’s a WordPress plugin and it is free. Let me introduce this software to you. First of all we need to install it.

Installation of GuardGiant Brute Force Protection

Like any other WordPress plugin we need to install it through the Dashboard of our WordPress page. Search for the plugin by its name. It looks like this:

wordpress brute force protection plugin installation page

Click on “Install Now” and then to “Activate”.

Settings and Configuration

The predefined settings are already fine to protect us. As you see there is distinguished between “Limit Login Attempts On User Account” and “Block IP Addresses Making Multiple Failed Login Attempts”.

This means that if an existing user account is penetrated, this user account will be locked for 2 minutes after 10 wrong passwords are tried. As you see after 8 failed login attempts form a single IP address, from this IP cannot be logged anymore in for 4 minutes.

Important: These setting could lock us out from our WordPress page, if a valid user account is denied from logging in!

That’s why we need to whitelist our IP address, so that our computer is always allowed to log in, no matter how may failed login attempts are done from our computer!

whitelist setting of the plugin

As you see above two IP addresses are whitelisted and they are never affected or locked by the plugin.

Another options which cover up the existence of an existing user you see here:

By default WordPress tells the one who wants to log in if there is a failure in the user name spelling or if just the password is wrong. The option above covers this.

Additionally: Always keep WordPress, its themes and plugins up to date to reduce the probability to be a victim of hackers.


I recommend this plugin because it prevents password guessing attacks. The plugin is easy to configure and the predefined settings make sense. Don’t forget to whitelist your own IP address, so that you are note locked out.

If you observe your WordPress logs you will see that this plugin does its work by reducing the login attempts by unauthorized devices.

Feel free to comment my post and have fun with WordPress and its plugins. 🙂

consulting picture

WordPress Cookie Notice by Real Cookie Banner