Secure a hosted WordPress site against ‘Brute Force Attacks’

Posted on Posted in WordPress

29zfzy6i   Follow the author on Twitter 


This website like millions of other such websites is a hosted WordPress website. WordPress is open source & makes it super easy to create, design & manage high quality websites. This is the reason why WordPress is the leader in the content management system (CMS) arena.

Having said that this leadership position means that hackers are also interested in WordPress websites & security of these websites becomes an important part of the WordPress set-up.


Yesterday afternoon i started getting autogenerated mails for failed login attempts into my website admin page. I ignored these mails for a while as i had already set up a pretty strong policy for locking out users after a couple of unsuccessful attempts. My website has been targeted earlier also, and most of these were one of events.


Find below a copy of the e-mail.

From: WordPress <wordpress@***********.com>
Date: 18 December 2016 at 3:09:05 PM IST
To: *******@*******.com
Subject: [***********] Too many failed login attempts

2 failed login attempts (1 lockout(s)) from IP: **.***.**.***

Last user attempted: administrator

IP was blocked for 1 hours



When i checked my emails after a couple of hours i was surprised to see a continuous stream of failed login attempts. I quickly realised that my website was under a “brute force attack” using bots. This continued non-stop for the next 12 hours until i decided to figure out a way to stop this. When i checked the stats in the WP settings i saw 863 failed login attempts were made from different IP addresses. That led to 204 IP’s being blocked, which meant that the bot was most probably using compromised hosts across the globe to orchestrate the attack. Do keep in mind that my website does not hold any valuable information (of course my posts do help in sharing knowledge & that knowledge can be very valuable; but these posts are open for everyone).

See a snapshot of the number of attacks in a span of 6 hours.



“Brute Force Attacks”

The Brute Force attacks are not manually run by humans; these are sophisticated computer programs being randomly executed by bots. These programs are setup to randomly crawl the internet and look for some predefined URL’s, in our case it is the WordPress admin URL that ends with ‘wp-admin’. Once the URL is found the program would continuously use different username & password combination to try and hack into the website. The process is all automated and even the attacker most probably would not have any information about the site being attacked. With WordPress gaining prominence, such attacks are becoming more and more common and the severity of the attacks can at times be very high.


In my case I had already taken steps to secure my website by changing some settings in the WordPress admin panel and was confident that the brute force attack was not going to hack into my admin account. But the non-stop attempts to log into my websites WP admin console was consuming a lot of traffic and could potentially slow down my website. So i decided to look around and figure out a way to end the attack for good, during my search I tried a few options finally decided to use “CloudFlare”. This tool is effective and very easy to setup & use. I was able to successfully end the brute force attack & the service that i used is free.


In the remainder of this post i will document steps to enhance the security of a Hosted WP website. Most of these steps can & should be taken at the time of setting up the website to stay secure. First two points are generic security measures that should be followed by everyone who uses a hosted WP site, the third point is specific to keeping the website safe from Brute Force attacks using CloudFlare.


  1. Change the name of the default admin user. By default the name of the admin user is ‘admin’, immediately change this to something else & keep a strong password. But remember to NEVER use the below 4 names, as the bots that are used for brute force attacks would invariable start by using these user names only.
    • admin
    • administrator
    • root
    • (name of your website)



2. Change Limit Login Attempts Settings. Go to “settings > Limit Login Attempts” and change the settings based on your requirements. I have given below some standard settings that should suffice for most new websites.


  • Lockout allowed retries = 3
  • minutes lockout = 60 mins
  • lockouts increase lockout time to = 1 hours
  • hours until retries are reset = 1 hours
  • Notify on lockout, check both of the below
    • Log IP
    • Email to admin after 1 lockouts



These basic setting changes in WordPress would ensure that your site is fairly secure and hard to break into for bots trying to gain access to WP admin accounts.


3. Use CloudFlare to stop Brute Force attacks. CloudFlare offers CDN, DNS, DDoS protection and security for hosted websites. We are going to use the free tier offering from CloudFlare to setup the security for our website. The process is detailed below,

  • Create an account in CloudFlare, go to
  •  Click on “Add Website“, add the domain name without ‘www’ in the field given & click the “Begin Scan” button. This would take a minute, after that click on “Continue Setup“.




  • On the next page you would get Now you would be given Plan. You can choose the plan that suits you, I will by going for the Free Plan  the option for selecting the DNS Records. The page would automatically display the A, AAAA, and CNAME records that can have their traffic routed through the Cloudflare system.
  • If you do not have a good understanding of DNS leave these settings as they are & click on “Continue”.




  • On the next page you would get the option for choosing the Plan. You can choose the plan that suits you, I will suggest that you start by going for the Free Plan first and move to one of the paid options as and when the need be.




  • After this you will get the option of changing the name servers. You need to update the DNS settings on the portal of your Domain Name provider and use the “CloudFlare” name servers. The name servers for CloudFlare would look like



  • After changing the name server settings in your DNS providers page, come back to the CloudFlare site and click on “Continue”.
  • The process of adding routing the DNS through CloudFlare is now complete, you can check the same on the main page where the status should be “Active”.




  • Now we will change some settings to make our website resilient against Brute Force attacks.
  • Go to Page Rules tab at the top and add a new page rule.




  • In the URL dialog box add the name of you website followed by wp-login.*   as an example we will take the following URL —>*
  • In the settings dropdown boxes, select the below two options
    • Browser Integrity Check — Enable this
    •  Security Level — Change this to “I’m Under Attack”




These settings would ensure that bots find it difficult to reach your site to execute their programs, this would significantly increase the security of your hosted WordPress website. Even though it is still possible for a Hacker to break into your website, these steps would increase the cost of the attack for hacking the website & most attackers would move on to other weekly guarded websites.


60 thoughts on “Secure a hosted WordPress site against ‘Brute Force Attacks’

  1. I know this if off topic but I’m looking into starting my own weblog and was wondering what all is required to get
    set up? I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web smart so I’m not 100% sure. Any recommendations or advice
    would be greatly appreciated. Appreciate it

  2. I will right away grab your rss feed as I can’t find your
    e-mail subscription link or e-newsletter service. Do you’ve any?
    Please permit me know in order that I may subscribe. Thanks.

  3. This is the newest csr 2 hack that i made i already
    have other movies up but as a result of talked bullshit as a result
    of i didn’t present any proof but on this csr racing 2 hack video you will notice every thing
    together with proof so you know it is real :)..
    this tutorial shows the best way to hack csr racing 2 and get
    any automotive which we will buy from gold.

  4. It is apparent that you have plenty of benefits within the general sport by using the
    CSR Racing 2 cheat of the normal players get their Gold and Coins from our CSR Racing 2 Cheats.There isn’t a large key behind using this
    tremendous hack Tool and many users is doing so.
    You will ultimately capable of dominate the general sport and deal with the pro players.

  5. I love the amount of issues in our contemporary
    education and learning technique are presented listed
    here! I’m a student I and myself know from own personal knowledge about some issues that
    are detailed here.

  6. I stay a Casual Fashion Stylist functioning and living in London.

    This blog is not nearly living off toast every night. I believe there are people out there like everyone:
    I breathe down every money I make, my wage goes towards the credit, bills, journey and meal.
    Except I don’t set the looks down, I still want to appear stylish everyday, I still need Hay seats
    for my own level then the Gucci ‘Dionysus’ to carry my wares, I’m just sensible with income
    where I could stayed near offer the luxuries. This blog grew from times
    of colleagues saying to everyone ‘you always get the
    best stuff about the Great Road’. Now the gang of supporters has grown in readers too.
    It is a awareness into our world.

  7. That is really interesting, You’re an excessively skilled blogger.
    I have joined your feed and sit up for in the hunt for more of your magnificent post.
    Additionally, I have shared your website in my social networks

  8. May I simply just say what a relief to uncover someone who
    actually understands what they are discussing online. You definitely understand
    how to bring a problem to light and make it important. More and more
    people need to read this and understand this side of your story.
    I was surprised that you aren’t more popular given that you surely possess the gift.

  9. If it’s a commemoration of the endless love that you’ve
    for the spouse during our Anniversary or wish to deal with your girlfriend with one thing truly special, it’s best
    to test our sensible collection of Valentine presents too.

  10. I happen a Freelance Fashion Stylist working with
    living in London.

    This blog is not on stay off toast every night. I believe there are individuals out there here like myself: I living off
    every anything I gain, the income goes towards the credit, bills, go with foods.
    However I don’t put the sights low, I still want
    to appear stylish everyday, I even need Hay chairs for our boring also the Gucci ‘Dionysus’ to hold the wares, I’m just smart with
    change where I will occur to afford the luxuries. This blog expanded
    by years of supporters showing me ‘people always get the best things
    for the Great Road’. Now my disk of friends has grown in readers too.
    It is the understanding in our world.

  11. My mom asked which can together with article for her blog exactly about %BT%.
    I believed i was reviewing internet sites day-n-night
    in addition haven’t identified many details.
    Money you need to make me aware additionally?

  12. I reading about %BT%. And additionally I`ve
    been very contemplating obtaining my favorite Instagram web
    site regarding that, you know, like a website. Are you able help
    me out?

  13. For the home ᴡith stately coloonial creatings, the design should blend in easily,
    yet there is actually consistently room for a something սnique.
    If you have classy creatings including ɑ curvesome, symmetrical profile llining a staircase,
    you ⅼikely have the dreamland to include lovely aesthetіc toᥙϲhes or
    even make an impressive feature wall structure.
    A feature wаll structurе or even centerpiece attracts the eyye іn. The slopеd сeiling puts on the
    dramatization. Explore your choices for mixing the wall surface into thе residence or producіng it the superѕtar attraction.

  14. Hello I am so grateful I found your blog page,
    I really found you by mistake, while I was browsing on Aol
    for something else, Anyhow I am here now
    and would just like to say many thanks for a fantastic post and a all round entertaining blog (I also love the theme/design), I don’t have time to read
    through it all at the moment but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read
    more, Please do keep up the excellent work.

  15. All you must acquiesce is benefit this magnificent Pokemon Duel hack instrument and puff it in your phone
    or upon your computer. Once that’s completed, decidedly use it to
    play as quite a lot of something as you passionate.

  16. Unquestionably believe that which you said. Your favorite justification appeared to be on the
    internet the simplest thing to be aware of. I say to you, I definitely
    get irked while people think about worries that they just do
    not know about. You managed to hit the nail upon the top and defined out the whole thing without having side effect ,
    people can take a signal. Will likely be back to get more.

  17. Hi this is kinda of off topic but I was wanting
    to know if blogs use WYSIWYG editors or if you have to manually code with HTML.
    I’m starting a blog soon but have no coding experience so I
    wanted to get advice from someone with experience. Any help would be greatly appreciated!

  18. This design is spectacular! You most certainly
    know how to keep a reader amused. Between your wit and your videos,
    I was almost moved to start my own blog (well, almost…HaHa!)
    Excellent job. I really loved what you had to say, and more
    than that, how you presented it. Too cool!

  19. Hi there, You’ve done an incredible job. I will definitely digg it and
    personally recommend to my friends. I am sure they’ll be
    benefited from this website.

Leave a Reply

Your email address will not be published. Required fields are marked *