NEW: Sign up to get freelance writing jobs in your inbox. SUBSCRIBE

Quick Tip: Protect Your WordPress Login Page From Brute Force Attacks

Read Time: 3 min

Lock Down Your Blog

If you're a WordPress blogger, chances are that you're aware of the massive brute force attempts targeting WordPress sites lately. If you're not sure what these are, basically it's when someone attempts to hack your site by guessing your username and password. But they usually do this with bots that let them automate the process, and your site can be hit hundreds (if not thousands) of times a day. And if you don't have any brute force protection on your server or your WordPress installation, you might never know until someone hacks your site.

Fortunately you can block these attempts fairly easily.

Brute Force Protection Plugins

One way to protect your site is to install a WordPress security plugin that offers brute force protection. These will generally let you decide how many login attempts a user gets before they're automatically locked out and unable to try again for a certain amount of time.

The problem with this method is that potential hackers still get to try at all. So you're still at risk. And giving them access to the login page still allows them to automatically try to login with different usernames and different IP addresses at a frequency that can slow down your site.

Protecting wp-login.php

These days I go a step farther for any site where I'm the only person who needs to log in. I limit access to the wp-login.php file (and sometimes the wp-admin folder) to my IP address. If you have a dynamic IP address that occasionally changes, you can always update this in your .htaccess file by logging into your hosting account, so temporarily losing access to the WP login page isn't a big deal.

To make your wp-login.php file accessible only via your IP address, open your .htaccess file in your site's files and add the following (replacing the Xs with your IP address, which you can discover by visiting

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^x\.x\.x\.x$
RewriteRule ^(.*)$ - [R=403,L]

For example, if your IP address is 123.456.789.0, you would add the following to your .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0$
RewriteRule ^(.*)$ - [R=403,L]

By no means is this the only way to protect your WordPress login page. But it's a quick fix and a good start if you're the only one who needs to access it. And this keeps bots from slowing things down with repeated login failures.

If you'd like to learn how to tweak this to also limit the wp-admin folder to your IP address, or if you want to allow multiple IP addresses to log into your site, InMotion Hosting as a great guide on taking this farther.

How do you protect your WordPress login page? Do you simply rely on plugins that stop attacks only after some attempts have been made? Do you change the location of your login page to make it more difficult for automated hacking attempts to find? Do you use a front-end login page with its own protection against automated brute force attacks (like a honeypot to stop bots from submitting the form in the first place)? Share your strategies, experience, or tips in the comments.

Have a request for the Tuesday Quick Tips series? Submit your quick tip request (or any reader question) using the free writing advice form.

4 thoughts on “Quick Tip: Protect Your WordPress Login Page From Brute Force Attacks”

  1. I have been very happy with the Wordfence security plugin. A techie person recommended it and I have had it for a few years. They have a free version but I quickly upgraded as I didn’t feel the free version (at the time) got as much of their attention.

    • I keep hearing good things about that one Cathy. Probably from you! 😉 In my case I just hesitate to install the more comprehensive security plugins if I can do what I need without them because of compatibility issues. It’s rare that I can introduce a big plugin and not have it break something else (at least here where so many are required). But one of these days I’ll have to give it a try on a newer site and see how it works in comparison. 🙂

  2. Thanks for the tip!

    I hired a “techie” to do secure my website because I noticed people were creating posts on my site. Yikes! I’ve used WP since 2008 and never had this happen to me.

    Question for you… Who do you recommend for web hosting? I use Blue Host and upgraded to their VPS server and have had issues regarding backup. It may be time to move to a new hosting company. Thank you!

    • Oh no! I hope they were able to sort out the hack.

      I’m not at all a fan of BlueHost. They and 1&1 are awful, and I would never touch them for WordPress hosting. When I started out, I mostly used HostGator, and I was happy with them for the most part (though I did leave in large part due to a customer service issue). Now I mostly use based in Toronto. I remember setup being a bit of a pain with them for a VPS, but once I got past that I haven’t had any real issues. There’s occasional downtime like there is with any host, but it’s less than other hosts I’ve used and they tend to be very responsive and quick to resolve things (and the problems are on my end as much as theirs).

      Who did you use to secure your site? I used Rack911 and loved them. But you have to remember with every plugin update, theme update, or new site installation you open the door to new vulnerabilities. So you have to keep and eye on things and periodically improve what you can. The worst attack I’ve had to deal with was a result of a plugin exploit. While I know there’s always a risk, I certainly hope I never have to deal with something to that scale again.


Leave a Comment