Blog

WordPress Brute Force Attacks: Prevention Guide

WordPress Brute Force Attacks: Prevention Guide

A brute force attack can turn your WordPress login page into a punching bag within minutes.

If you run a small business website in Canada, you may never see the attack happening directly. You just notice the after-effects: a slow site, locked-out staff, strange admin users, spam posts, or a warning from your host that your account is using too many resources.

The good news is that brute force attacks are one of the more preventable WordPress threats. You do not need to be a security expert, but you do need a few practical controls in place.

What Is a WordPress Brute Force Attack?

A brute force attack is when bots repeatedly try to guess a username and password combination for your WordPress admin area.

Most attacks target the WordPress login page, usually located at the standard login URL. Some also target XML-RPC, REST API endpoints, WooCommerce customer login forms, membership portals, or any plugin that allows users to sign in.

The attacker is not sitting there manually typing passwords. These are automated scripts that can test thousands of combinations using leaked passwords, common usernames, and predictable patterns.

Examples of weak login combinations include:

  • admin with a simple password
  • Your business name as the username and password
  • An employee’s email address with a reused password
  • Old passwords that were exposed in another website breach
  • Predictable passwords using seasons, cities, or services

Even if the attacker does not get in, repeated login attempts can still slow your site down. On cheaper hosting, a login flood can consume enough resources to make the whole website feel broken.

Why WordPress Gets Targeted So Often

WordPress powers a large share of business websites, so attackers build tools around it. That does not mean WordPress is “insecure” by default. It means popular software attracts automated attacks.

Most brute force attacks are not personal. The bot does not care whether you are a dentist in Calgary, a restaurant in Halifax, a law firm in Toronto, or a contractor in Winnipeg.

It scans the web, finds WordPress sites, and tries the same basic attacks over and over.

That is why even a small brochure website can be targeted. Attackers may use compromised sites to send spam, host phishing pages, redirect visitors, inject SEO spam, or pivot into other systems.

Common Signs of a Brute Force Attack

Sometimes you will see obvious signs. Other times, the symptoms look like ordinary website trouble.

Watch for:

  • Repeated failed login emails or security plugin alerts
  • Staff being locked out of WordPress
  • Sudden spikes in CPU, memory, or bandwidth usage
  • A slow admin dashboard, especially the login screen
  • Unknown administrator accounts
  • Password reset emails you did not request
  • Login attempts from countries where you do not do business
  • WooCommerce customer login issues during attack spikes

If you think the attacker may already be inside, do not treat it as “just failed logins.” Check for added users, changed files, suspicious plugins, redirects, and spam content.

For more warning signs, see How to Tell If Your WordPress Site Is Hacked.

Step 1: Stop Using Weak Usernames

Passwords get most of the attention, but usernames matter too. If your username is easy to guess, the attacker only has to solve half the problem.

Avoid usernames like:

  • admin
  • administrator
  • your business name
  • your domain name
  • your public author name
  • info, sales, support, or contact

Use unique usernames for each admin user. If your public blog author name matches your login username, change the public display name so you are not advertising your login details on every post.

Do not share one admin account between multiple staff members. Shared accounts make it harder to know who changed what, and they create a mess when an employee leaves.

Step 2: Use Strong, Unique Passwords

A strong WordPress password should be long, unique, and stored in a password manager. The “unique” part matters most.

If someone reuses their WordPress password on another service and that service gets breached, attackers can try the same email and password on your website. This is called credential stuffing, and it is very common.

Good password habits:

  • Use a password manager such as 1Password, Bitwarden, Dashlane, or another reputable option
  • Create a different password for every user account
  • Avoid passwords based on your company name, address, phone number, pet names, or staff names
  • Remove old user accounts instead of leaving them dormant
  • Change passwords after an employee, contractor, or agency no longer needs access

Do not force everyone to memorize complex passwords. That usually leads to sticky notes, spreadsheets, or predictable patterns. A password manager is safer and easier.

Step 3: Turn On Two-Factor Authentication

Two-factor authentication, usually called 2FA, is one of the best defenses against brute force attacks.

With 2FA enabled, a stolen or guessed password is not enough. The user also needs a second factor, such as a code from an authenticator app.

For most small business WordPress sites, 2FA should be required for:

  • Administrators
  • Editors with publishing access
  • Shop managers
  • Developers and maintenance providers
  • Any account with access to customer or client information

If your site handles sensitive information, such as legal intake forms, healthcare inquiries, financial details, or WooCommerce customer data, 2FA should not be optional for admin users.

We have a dedicated setup guide here: How to Set Up Two-Factor Authentication for WordPress Admin Access.

Tip: Before enforcing 2FA for everyone, make sure you have backup codes or a recovery process. Otherwise, a lost phone can become an emergency.

Step 4: Limit Login Attempts

By default, WordPress does not strongly limit repeated login attempts. That makes life easier for attackers.

A login attempt limiter blocks or delays users after too many failed attempts. This simple control can reduce automated guessing dramatically.

Look for login protection that can:

  • Temporarily block IP addresses after repeated failures
  • Apply longer lockouts after repeated blocks
  • Notify you of unusual login activity
  • Allow trusted users to regain access safely
  • Avoid locking out your whole office because one person mistyped a password

Security plugins often include this feature. Hosting-level security tools may also provide brute force protection before the request even reaches WordPress.

Be careful with settings that are too aggressive. If your staff share a small office network, one person’s failed attempts could temporarily affect everyone using the same connection.

Step 5: Add a Web Application Firewall

A web application firewall, or WAF, helps filter malicious traffic before it hits your WordPress site.

A good WAF can block known bad bots, suspicious login patterns, exploit attempts, and traffic from abusive networks. This matters because brute force attacks often come alongside other attacks, such as plugin vulnerability scans.

There are generally two places a WAF can work:

  • At the server or hosting level: Filtering happens before WordPress has to process the request.
  • Inside WordPress: A plugin inspects requests after WordPress starts loading.

Hosting-level protection is often more efficient because it reduces load earlier. Plugin-based firewalls can still be useful, especially when configured carefully.

Ambrite’s cloud hosting includes Imunify360, which helps detect and block malicious activity at the hosting level. You can read more in How Imunify360 Protects Your Website.

Step 6: Keep WordPress, Plugins, and Themes Updated

Brute force protection is only one piece of security. If your login is protected but your plugins are badly outdated, attackers may bypass the login entirely.

WordPress core, plugins, and themes should be updated regularly, but not recklessly. For simple brochure sites, updates are usually straightforward. For WooCommerce, booking systems, membership sites, and custom builds, updates should be tested more carefully.

A practical update routine includes:

  • Reviewing available updates weekly
  • Backing up before applying changes
  • Testing important forms, checkout pages, and login areas after updates
  • Removing plugins and themes you no longer use
  • Watching security advisories for critical plugin vulnerabilities

Do not keep abandoned plugins just because “nothing has broken yet.” Old plugins are a common way attackers get in after brute force protection stops working as the main entry point.

Step 7: Protect XML-RPC If You Do Not Need It

XML-RPC is a WordPress feature that allows remote connections. Some apps and services use it, but many modern WordPress sites do not need it.

Attackers often abuse XML-RPC for login attempts because it can allow repeated authentication requests in a way that is less visible than the normal login page.

Before disabling or restricting it, check whether your site relies on it. Some publishing tools, mobile apps, Jetpack features, or integrations may use it depending on your setup.

If you do not need XML-RPC, consider restricting or disabling it using a reputable security plugin, hosting control, or server-level rule. Check the documentation for your hosting platform or security tool because the safest method depends on your environment.

When not to disable XML-RPC: If you use a service that depends on it and you are not sure what will break, do not guess. Restrict it carefully or ask your hosting provider before making the change.

Step 8: Use CAPTCHA Carefully

CAPTCHA can help slow down automated login attempts, but it is not magic. Some bots can bypass weak challenges, and some CAPTCHA tools frustrate real customers.

CAPTCHA is usually more appropriate for:

  • Public registration forms
  • WooCommerce customer login pages
  • Membership sites
  • Comment forms that attract spam
  • Password reset forms being abused by bots

For admin-only sites, 2FA and login rate limiting are usually more important than CAPTCHA.

Also think about accessibility. If your audience includes older users, patients, legal clients, or customers using assistive technology, a poorly chosen CAPTCHA can block legitimate people from contacting you or signing in.

Step 9: Remove Unused Admin Accounts

Every admin account is another door into your website. If you have old agency accounts, former employee accounts, temporary contractor accounts, or test users with high permissions, clean them up.

Review your WordPress users regularly. Ask three questions:

  • Does this person still need access?
  • Do they need administrator access, or would editor/shop manager access be enough?
  • Is this account protected with a strong password and 2FA?

Use the principle of least privilege. Most staff do not need full admin access to update pages, publish blog posts, or manage basic content.

If you run a WooCommerce store, be extra careful with shop managers and administrators. Those roles may access orders, customer details, and business-sensitive information.

Step 10: Monitor Login Activity

You cannot respond to what you cannot see.

Basic login monitoring helps you spot unusual activity before it becomes a full compromise. Many security plugins and hosting tools can show failed logins, successful logins, blocked IPs, and suspicious patterns.

Look for patterns like:

  • Repeated attempts against the same username
  • Successful logins at strange times
  • Logins from countries where your staff are not located
  • Many password reset attempts
  • New admin users created unexpectedly

Do not obsess over every failed login. A few failed attempts are normal on WordPress. What matters is volume, repetition, and whether any suspicious attempt succeeds.

Step 11: Choose Hosting That Does Not Leave You Alone

Hosting matters during brute force attacks because the server has to handle the traffic. A cheap, overloaded shared hosting account may struggle under automated login floods.

Look for hosting with security and performance features such as:

  • Server-level malware scanning
  • Brute force and bot protection
  • Modern web server technology
  • Fast storage such as NVMe SSD
  • Reliable backups
  • Clear support when something looks suspicious

Ambrite provides Canadian cloud web hosting with LiteSpeed, NVMe SSD storage, and Imunify360 protection. Hosting starts at $7.99/month CAD, and it is built for small businesses that want WordPress to run fast without ignoring security.

You can learn more about our hosting here: Ambrite cloud web hosting.

Canadian Privacy Considerations

If your WordPress site collects personal information from Canadians, brute force prevention is not just a technical issue. It is also part of protecting client, customer, or patient data.

Under PIPEDA, Canadian businesses are expected to use reasonable safeguards for personal information. What counts as “reasonable” depends on the sensitivity of the information and the risk involved.

A basic contact form with a name and email address still deserves protection. A legal intake form, healthcare appointment request, quote form with home address details, or WooCommerce checkout contains more sensitive information and needs stronger safeguards.

For Canadian business sites, practical safeguards include:

  • HTTPS on every page
  • 2FA for admin users
  • Strong access control
  • Regular updates
  • Backups and recovery planning
  • Monitoring for suspicious activity
  • Clear policies around who can access submitted information

Security does not replace a privacy policy, but it supports the promises you make in one.

What To Do During an Active Brute Force Attack

If your site is being hit right now, start with containment. Do not waste time debating whether the attack is “serious enough.”

Take these steps:

  1. Confirm whether anyone got in. Check recent admin logins, user accounts, changed content, and security alerts.
  2. Change admin passwords. Use strong, unique passwords and do not reuse old ones.
  3. Enable or enforce 2FA. Prioritize admin and shop manager accounts first.
  4. Limit login attempts. Add rate limiting if it is not already active.
  5. Block abusive traffic. Use your host, firewall, or security plugin to block obvious attack sources.
  6. Check server resource usage. A login flood may be causing slowdowns even if no login succeeded.
  7. Review backups. Make sure you have a clean restore point in case the site is already compromised.

If you find a new admin user you do not recognize, strange plugin files, redirects, spam pages, or modified theme files, treat the site as compromised. At that point, brute force prevention is no longer enough; you need cleanup and hardening.

When Not to Handle This Yourself

There is nothing wrong with doing basic WordPress security yourself. Many site owners can enable 2FA, use strong passwords, remove old users, and install a reputable security plugin.

But there are times when DIY is risky.

Get professional help if:

  • You suspect an attacker successfully logged in
  • Your site handles client, patient, legal, or payment-related information
  • Your WooCommerce store is affected
  • You see unknown admin users or suspicious files
  • Your host has suspended your account for resource abuse or malware
  • You are not sure whether backups are clean
  • The same attack keeps coming back after you block it

The danger is not just the visible damage. Attackers often leave backdoors so they can return later, even after passwords are changed.

A Practical Brute Force Prevention Checklist

If you want the short version, use this checklist.

  • Replace weak usernames like “admin”
  • Use unique passwords stored in a password manager
  • Enable 2FA for all admin-level users
  • Limit failed login attempts
  • Use hosting-level firewall and malware protection where possible
  • Restrict XML-RPC if your site does not need it
  • Remove old users and unused admin accounts
  • Keep WordPress, plugins, and themes updated
  • Back up the site regularly and test restores
  • Monitor login activity and new user creation
  • Review permissions after staff or agency changes

Do the first four items first. They stop the most common brute force problems quickly.

How Ambrite Can Help

Brute force prevention works best when hosting, maintenance, and security monitoring are handled together.

Ambrite helps Canadian small businesses with cloud WordPress hosting, security-focused maintenance, updates, backups, malware scanning, and practical support. Our WordPress maintenance plans start from $49/month CAD, and they are designed for business owners who would rather not spend their week chasing security alerts.

If you want help hardening your site, reviewing login security, or moving to a better hosting environment, see our WordPress maintenance and security plans or contact Ambrite.

A brute force attack is annoying, but it should not be a crisis. Strong passwords, 2FA, login limits, clean user access, and good hosting will stop most automated attacks before they become business problems.

This article was written with the help of AI and reviewed by the Ambrite team. Pricing, features, and technical details may change — always verify with official sources before making decisions.

Was this article useful?

Related Articles

How to Comply with PIPEDA: Essential Privacy Policy Requirements for Canadian Websites
Your website collects personal information from visitors — even just their IP address counts....
How to Set Up Two-Factor Authentication for WordPress Admin Access
Two-factor authentication (2FA) is like adding a deadbolt to your WordPress admin door — and in...
How Hackers Exploit Outdated WordPress Plugins
That outdated WooCommerce shipping plugin you've been meaning to update? It's probably already...
How a Hacked Website Damages Your Firm's Reputation
Your website just got hacked. The sinking feeling in your stomach is real — and it should be. A...
WordPress Security Best Practices for Law Firms
Your law firm's website handles sensitive client data every single day. One security breach...