high risk

How to Stop Brute-Force Attacks on WordPress Login

Brute-force attacks guess passwords against wp-login.php and XML-RPC until one works. WordPress has no built-in rate limiting, so any exposed login is a target. A few layers make it impractical to crack.

  1. 1

    Limit login attempts

    Install a login-limiting plugin (or a security plugin that includes it) to lock out an IP after a few failed attempts.

  2. 2

    Enable two-factor authentication

    2FA stops brute-forcing entirely — even a correct password fails without the second factor. Enable it for every admin account.

  3. 3

    Enforce strong, unique passwords

    Require long passphrases and never reuse credentials. Check any password against known breaches before trusting it.

  4. 4

    Protect the login endpoints

    Block or rate-limit XML-RPC (which amplifies brute force), and consider restricting wp-login.php by IP or adding a CAPTCHA.

Related concept: Brute Force Attacks

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides