Bulletproofing Your WordPress Site Against A Brute Force Attack

A brute force attack involves trying any and all combinations of commonly used passwords to gain access to an account or access to the administration section of your WordPress site. WordPress is one of the most commonly used frameworks for building websites today. Therefore, it should be no surprise that it is also one of the most commonly hacked as well. We believe that this threat warrants a list of tips, that when used, can thwart any attempts to gain access to your website.

[post-cta heading=”Managed Hosting Services” text=”Get more information on Managed Services and keep your WordPress site secure.” button_text=”Learn More” link=”/services/managed-hosting/” image=”/wp-content/uploads/2018/02/Managed-hosting-personal-300×300.jpg” image_position=”right”]

How can you protect yourself against these type of attacks on WordPress?


Once you have installed WP on your account, you will want to log into it by visiting http://www.yourdomain.com/wp-login.php. Here you will be asked for your username and password to access the administration section. Navigate to the ‘Add New’ User section found at http://www.yourdomain.com/wp-admin/user-new.php. Although the WordPress minimum requirement is only 7 characters, HostLabs recommends passwords of at least 12 characters. You will also want to be sure to select Administrator as the role for this new user from the dropdown menu at the bottom. Once you have created this new user, navigate to http://www.yourdomain.com/wp-admin/users.php, hover over the original Admin user and select ‘Delete’. If you have posts that were created by the ‘Admin’ user, you will be asked what you want to do with them when you are deleting this user. These posts are commonly re-assigned to the new user you just created.


You will want to update your new user’s password every 90 days. Be sure to keep a record of passwords used, and do not repeat them. Always create new passwords when updating. We list deleting the admin user and updating passwords regularly as the most important factors since these are the main focus of a brute force attack. Do not use passwords like: admin, admin123, administrator, pass, password, password1, password, root, qwerty, q1w2e3, 000000, 123456, 987654321. If you are having trouble creating a strong password, consider a service such as those found at http://www.random.org/passwords and http://strongpasswordgenerator.com. Additionally, if you have multiple users on your website, either set up a schedule for all to see that requires regular updates to passwords or let them know that you will be making the updates and will provide them with new ones regularly.


There are a number of quality plugins that you can take advantage of for free from WordPress.org. Here is a short list to get you started:

Limit Login Attempts Reloaded (https://wordpress.org/plugins/limit-login-attempts-reloaded/)

Loginizer (https://wordpress.org/plugins/loginizer/)

Wordfence Security (https://wordpress.org/plugins/wordfence/)

Bulletproof Security (http://wordpress.org/extend/plugins/bulletproof-security)

DUO 2-Factor Authorization (https://www.duosecurity.com/docs/wordpress)


Found in all control panels available through HostLabs, password protecting your login page is another secondary effort that you can make. Look for the following icons in your control panel.


We realize that building a website can be difficult. For those that need to focus on running their business, or simply do not have the time needed to stay on top of updates, we offer our Managed Hosting services to all levels of hosting plans. For more information on how Managed Hosting can help your site and free up valuable time for you, please visit  Managed hosting.