Table of Contents 5 sections
What is a Brute Force Attack?
A brute force attack is an automated method where an attacker systematically tries every possible combination of usernames and passwords until they find the correct credentials. For WordPress sites, the primary target is the /wp-login.php page and the /xmlrpc.php endpoint.
Modern brute force attacks are not random — they use dictionaries of common passwords, leaked credential databases, and smart permutations. A determined attacker can attempt thousands of logins per minute.
How Brute Force Attacks Work Against WordPress
Standard Login Page Attacks
Attackers send automated POST requests to /wp-login.php with different username/password combinations. Without rate limiting, WordPress will process every request.
XML-RPC Amplification
The WordPress XML-RPC interface (/xmlrpc.php) allows multiple login attempts in a single request using the system.multicall method. An attacker can try hundreds of passwords in one HTTP request, bypassing many login-limiting plugins.
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member><name>methodName</name><value>wp.getUsersBlogs</value></member>
<member><name>params</name><value><array><data>
<value>admin</value><value>password123</value>
</data></array></value></member>
</struct></value>
<!-- ... hundreds more attempts ... -->
</data></array></value></param>
</params>
</methodCall>Credential Stuffing
Attackers use username/password pairs leaked from other breached services. Since many people reuse passwords, this approach has a surprisingly high success rate.
Signs Your Site Is Under Brute Force Attack
- Abnormally high server resource usage (CPU, memory)
- Slow page load times during attack bursts
- Failed login attempts in your security logs
- Locked-out user accounts
- Unusual traffic to
/wp-login.phpor/xmlrpc.php - 503 errors from your hosting provider
Prevention Strategies
1. Use Strong, Unique Passwords
Require passwords with a minimum of 12 characters mixing uppercase, lowercase, numbers, and symbols. Use a password manager to generate and store them.
2. Enable Two-Factor Authentication (2FA)
Even if an attacker guesses the password, 2FA blocks access without the second factor. Use time-based one-time passwords (TOTP) via apps like Google Authenticator or Authy.
3. Limit Login Attempts
Install a plugin that locks out IP addresses after a set number of failed attempts. Popular options include Limit Login Attempts Reloaded and Wordfence.
4. Disable or Restrict XML-RPC
If you don't use the WordPress mobile app or Jetpack, disable XML-RPC entirely. If you need it, restrict access to specific IP addresses or disable system.multicall.
5. Change the Login URL
While security through obscurity is not a complete solution, changing /wp-login.php to a custom URL eliminates the vast majority of automated attacks that target the default path.
6. Implement CAPTCHA
Adding reCAPTCHA or hCaptcha to your login form blocks automated bots while allowing legitimate users through.
7. Use a Web Application Firewall
A WAF can identify and block brute force patterns at the network edge, before requests reach your WordPress installation.
8. Disable User Enumeration
WordPress allows attackers to enumerate usernames via /?author=1 or the REST API. Block this to prevent attackers from discovering valid usernames.
Detecting Brute Force Vulnerabilities
Our scanner checks for common brute force exposure points including:
- Accessible
/wp-login.phpwithout rate limiting - Enabled XML-RPC endpoint
- User enumeration via author archives
- Exposed WordPress REST API user endpoints
FAQ
Frequently Asked Questions
A brute force attack is an automated method where an attacker systematically tries every possible combination of usernames and passwords against your WordPress login page (/wp-login.php) or XML-RPC endpoint until they find the correct credentials.
The WordPress XML-RPC interface allows multiple login attempts in a single request using the system.multicall method. An attacker can try hundreds of passwords in one HTTP request, bypassing many login-limiting plugins.
Signs include abnormally high server resource usage, slow page load times, failed login attempts in security logs, locked-out user accounts, unusual traffic to /wp-login.php or /xmlrpc.php, and 503 errors from your hosting provider.
While security through obscurity is not a complete solution, changing /wp-login.php to a custom URL eliminates the vast majority of automated attacks that target the default path. Combine this with rate limiting, 2FA, and strong passwords for best protection.
Even if an attacker guesses the correct password through brute force, 2FA blocks access without the second factor (typically a time-based one-time password from an app like Google Authenticator or Authy), making the stolen password useless.
Tags
Related Posts
Phishing Attacks Targeting WordPress Sites: Fake Logins, Deceptive Emails, and Credential Theft
WordPress sites are frequently used to host phishing pages or are targeted by phishing campaigns to steal admin credentials. Learn how to protect yourself.
DDoS Attacks on WordPress: How to Keep Your Site Online Under Attack
Distributed Denial of Service attacks can take your WordPress site offline by overwhelming it with traffic. Learn how they work and how to protect against them.
WordPress Malware and Backdoors: How Attackers Maintain Persistent Access
Once a WordPress site is compromised, attackers install backdoors to maintain access even after vulnerabilities are patched. Learn how to detect and remove them.