How I secured my WordPress Blog from Brute Force Attacks


How I secured my WordPress Blog from Brute Force Attacks. 

It all started a month ago after updating my WordPress version to 5.5, I received a heavy brute attack complaints from my server hosting customer representative, detailing in a mail to me about the recent brute force attacks being perpetrated against my Blog. Without any delay, I scrutinized my web security, passwords, debugged my server for any loopholes among other things that I tried.

Finally, I was able to put the brute force attacks on a temporary end after following some steps I read online earlier while surfing for solutions. I had given into a temporary solution to stop the attacks due to I was given a 24hrs ultimatum to secure my WordPress blog from brute force attacks and I read the mail about 5hrs to suspension of my Hosting server.

What was my Temporary Solution to the WordPress Brute Force Attacks?

Most of the WordPress Brute force attacks are being carried out through the wp-login.php and xmlrpc.php files.

I renamed my wp-login and xmlrpc file. 

After doing this, all brute force attacks were put to an end, so I was able to escape my 5hrs deadline to suspension.


How I permanently secured my WordPress Blog from Brute force attacks.


WordPress Plugins vs Brute Force Attacks.

1. Install WP Cerber Security Plugin.

The Cerber security does a great job to secure your WordPress website from hackers. It as many features like Traffic inspection & filter, Anti-spam, which all enables you to monitor your live traffic, blacklist IP Address and networks.


I installed it, and it showed me every actions I needed to take about brute force attacks on and how my server can be exploited with it

2. Install Limit Login Attempts Reloaded.
This plugin will help you limit failed login attempts on your login page. You can see it to 5 login attempts or less. Download it Here

3. Disable WordPress Rest API

First thing you need to do is install and activate the Disable REST API plugin. The plugin works out of the box and there are no settings for you to configure.

It will now forcibly return an authentication error to any API requests from sources who are not logged into your website


.Htaccess Vs Brute Force.

Your htaccess can do a lot more to secure your WordPress blog from brute force attacks, but you should be cautious when editing the file, as one single mistake, can effects your entire site.


Block All IP / Bots Accessing your WP-Login, WP-Admin and XMLRPC Files.

If you are the only administrator and your IP address rarely or never changes, then this advice is for you. Add this to the top of your .htaccess file:

Paste this below in your .htaccess file. (Replace Your IP Address with the

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] 
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^$

RewriteCond %{REMOTE_ADDR} !^$

RewriteRule ^(.*)$ – [R=403,L] </IfModule>

Disable WP directory browsing 

Directory browsing allows any visitor to your site to see and browse the contents of the folders in your WordPress site. Everyone can visit a directory of your site, see the files and open them at will. By default, the majority of hosts have chosen to block access to directories, for obvious reasons of security, however, there are still many hosts that do not disable access to the directory of hosted sites.

Go to your .Htaccess and paste the below code. 

 Options - Indexes

LockDown WordPress admin using .htaccess

You can do this by using Login LockDown plugin or manually by making changes in .htaccess. The code you need to add should be included at the top of your .htaccess file for WordPress unique installations or after the following lines on a multisite network:

RewriteEngine On

RewriteBase /

RewriteRule ^ index \ .php $ - [L]

Here is the code you need to add:

# BEGIN Hide login page

RewriteRule ^ mylogin $ https: //% {SERVER_NAME} /wp-login.php?key=123&redirect_to=https://% {SERVER_NAME} /wp-admin/index.php [L]

RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} / wp-admin

RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} /wp-login.php

RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} / login

RewriteCond% {QUERY_STRING}! ^ Key = 123

RewriteCond% {QUERY_STRING}! ^ Action = logout

RewriteCond% {QUERY_STRING}! ^ Action = lostpassword


# END Hide login page

Make sure to change mylogin to the second line for the slug you want to use for your login page. If you do not change, you can find your login page as well

It is recommended to change the “slug” because the default one is publicly available, which means that hackers have access to it as well. If you use a custom slug, then it will not be able to access it, because the only location where this slug is displayed is on this file.

Also, be sure to change 123 on lines two and seven for something else. It’s a secret key that will not be visible to hackers. You should choose something that is not easy to guess. Choose a value that is composed of letter and number.

Back up your .htaccess file and make sure your site is always available. If you get an internal 500 error, it means that you made a mistake somewhere. Restore the file and try again.

Deny Access to No Referrer Requests

Extended from Combatting Comment Spam, you can use this to prevent anyone who isn’t submitting the login form from accessing it:

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_URI} .*/(wp-comments-post|wp-login)\.php.*
 RewriteCond %{HTTP_REFERER} !.** [OR]
 RewriteCond %{HTTP_USER_AGENT} ^$
 RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]

Nginx – Deny Access to No Referrer Requests

location ~* (wp-comments-posts|wp-login)\.php$ {
        if ($http_referer !~ ^( ) {
          return 405;

That’s all the steps I tookto secure my wordprewss blog from brute force attacks. If you have any question about WordPress brute force attacks, use the comment section below.

Leave A Reply

Your email address will not be published.