- 1
Limit login attempts
Install a login-limiting plugin (or a security plugin that includes it) to lock out an IP after a few failed attempts.
- 2
Enable two-factor authentication
2FA stops brute-forcing entirely — even a correct password fails without the second factor. Enable it for every admin account.
- 3
Enforce strong, unique passwords
Require long passphrases and never reuse credentials. Check any password against known breaches before trusting it.
- 4
Protect the login endpoints
Block or rate-limit XML-RPC (which amplifies brute force), and consider restricting wp-login.php by IP or adding a CAPTCHA.
Related concept: Brute Force Attacks
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.