How to discourage brute force attacks on WordPress based website


If you've experienced seeying a message "Wordpress administrator area access disabled temporarily due to widespread brute force attacks" then it means that someone tried to force your admin login panel and posed a serious threat to your website. Brute force attacks are the standard tool of all pseudo black hat hackers and they can be easily omitted.

1. Limit access to Wp-Login.php & Wp-Admin.php

This operation will simply deny access to anyone who doesn't come to login url directory from a specific IP adress. It will permanently discourage brute force attacks simply because hacking device will not be able to meet the requirements of the .htaccess file. Speaking of it - let's get to work

Use an FTP Client to obtain access to your FTP directory (you can use popular Filezilla or WinSCP client). If you wish to login using different method then you can access your FTP directory by using file manager that your web hosting company should provide you with.

Login to your FTP account and access your main root directory. Main root directory is often a folder named 'www', 'public_html' or eventually 'root'. Locate your .htaccess file and open it 'on the run' (WinSCP offers this option) or simply download it on your computer. Edit it with the help of random text editor and add the following to the very beginning of your .htaccess file:

        order deny,allow

        Deny from all
# whitelist IP address

allow from

        order deny,allow

        Deny from all
# whitelist IP address

allow from

Replace with your own IP adress.

You can check your ip adress with this link Please note that if you have a dynamically assigned ip from your internet provider then it will mean that you need to edit your .htaccess file and change your IP adress each time you'll wish to login to your admin dashboard. It's a little bit not comfortable but highly effective. Works great in terms of security and comfort if you have a static IP adress.

2. Disallow Wordpress file editing

Performing this operation will result in unability to edit Wordpress PHP files in Admin Dashboard. This is often the first directory hacker will be interested in after obtaining login access to your backend. Wordpress by default is allowing anyone with the admin rights to easily modify their theme and plugin files. After performing this operation any theme or plugin file editing will be possible only by using FTP client.

Access your FTP server (For instructions on how to do it please read the first paragraph.) and open your Wordpress Root directory. Locate a file named wp.config.php and edit it. Add the following line of code:

define('DISALLOW_FILE_EDIT', true);

That's it! Save your wp.config.php file and make sure it sits back on your server in it's modified form.

3. Install Simple Login Lockdown

Simple Login Lockdown is a plugin that's job is to disallow further login attempts after x amount of failed ones. This simply means that hacker will be unable to input and submit data in the admin login form with the help of any automated software. That will discourage brute force attacks even more and make you avoid explaining yourself to your web hosting company on why there is an excessive usage of CPU and RAM resources.

4. Set proper permissions to vulnerable files and folders

By setting 'read' permissions only to some of your files you'll limit the risk of editing them by third party users and avoid situations in which a non-compatible plugin will cause harm to your website by adding some junk code.

You should set 444 file permissions with the help of your FTP client on the following files: any .htaccess files, wp-config.php, wp-login.php, plugins folder, themes folder and robots.txt.

5. Set stealth URL for Admin Login

Creating a stealth admin login URL will simply protect your admin login panel from anyone who will try to access '' or '' directories. The admin login form won't be there and user will be simply redirected to 404 not found error.

Of course you will know where your login directory sits because it will be you who will create an additional string to your 'wp-login.php'.

To speed up and simplify things let's utilize a plugin called Stealth login Page. You can download it from here.

Please analyze the screenshot below to understand how this plugin works

Notice how your admin login page URL will change. After wp-login.php it will contain '?' letter and a string of two keywords divided by '=' character. This is your new Admin Login URL!

Final word

We hope that this little tutorial will help you defend yourself against hackers and script kiddies using multiple forms of attack (including brute force attacks).