SRWorks Brute Force Attacks: How to Protect Your WordPress Site
Right now, a bot is probably trying to guess your WordPress password. It is not personal. Attackers hit thousands of sites simultaneously, and yours is just another target. The question is whether your site is protected when it happens.
What a Brute Force Attack Actually Is
A brute force attack is exactly what it sounds like. An attacker tries password after password until one works. No sophisticated hacking, no exploiting vulnerabilities. Just relentless guessing.
Modern brute force attacks are fully automated. A single bot might try thousands of username and password combinations per minute across hundreds of WordPress sites simultaneously. If your site has no protection, it is just a matter of time before they get in.
The numbers are staggering. If an attacker can try 1,000 passwords per second (easily achievable with no rate limiting), they can attempt 60,000 passwords per minute, 3.6 million per hour, and 86 million per day.
Common passwords and dictionary words get tried first. Password123 might be attempt number 47. Your clever password Summer2024 might be attempt number 10,000. Neither will survive long against an automated attack.
How Attackers Target WordPress
The primary target is wp-login.php. Every WordPress site has this login page at the same location. Attackers do not even need to find it. They already know where it is.
Attackers try the most common usernames first. Admin (by far the most common), administrator, root, your domain name, common first names, and email addresses visible on your site.
They use lists of common passwords, leaked passwords from data breaches, and variations. Top 10,000 most common passwords. Dictionary words with numbers. Keyboard patterns. Passwords leaked in prior breaches.
Here is what many people do not know. WordPress has an XML RPC interface at xmlrpc.php that allows multiple login attempts in a single request through the system.multicall method. An attacker can try 500 passwords in one HTTP request, bypassing many rate limiters entirely. If you are only protecting wp-login.php and not XML RPC, you are still vulnerable.
What Most People Get Wrong
In my experience, the biggest mistake is not knowing attacks are happening. Most site owners have no visibility into login attempts. Attacks happen silently, and owners only find out when it is too late. I have talked to plenty of people who had no idea their site was getting hammered with password guesses every single day.
The second mistake is assuming strong passwords are enough. They help, but if there is no rate limiting, an attacker can make millions of attempts. Eventually something might work, or at minimum they are consuming your server resources.
The third mistake is only protecting wp-login.php. Most site owners have no idea the XML RPC backdoor exists. Their login page has rate limiting but xmlrpc.php is wide open. Attackers know this and use it.
The fourth mistake is thinking CAPTCHAs solve everything. They can help, but they create frustrating user experiences, raise accessibility concerns, can be solved by CAPTCHA solving services, and add third party dependencies. Rate limiting is more effective and less intrusive.
Signs Your Site Is Under Attack
How do you know if brute force attempts are happening? Common signs include slow site performance (login attempts consume server resources), high traffic to wp-login.php visible in server logs, account lockout emails if you have notifications configured, failed login entries in logs showing hundreds from the same IP, and database load spikes since each login attempt queries the database.
The problem is that most WordPress sites have no logging or monitoring in place.
The Challenge of DIY Protection
Protecting against brute force attacks sounds straightforward in theory. Limit login attempts. Block bad IPs. Use strong passwords. But implementing these protections properly is surprisingly complex.
Rate limiting is tricky. The most effective protection is rate limiting. After a few failed attempts, block further attempts from that IP address. But implementing this correctly requires tracking failed attempts across sessions, handling distributed attacks from multiple IPs, avoiding false positives that lock out legitimate users, managing progressive lockout durations, and cleaning up old records to prevent database bloat.
XML RPC requires special handling. Simply blocking XML RPC entirely breaks functionality that some plugins and the WordPress mobile app depend on. Selectively blocking the dangerous methods while allowing safe ones requires understanding the protocol in detail.
IP blocking gets complicated. When the same IP repeatedly triggers lockouts, they should be blocked at the firewall level. But maintaining blocklists manually is tedious, and automated solutions need to be careful not to block legitimate users behind shared IPs or VPNs.
Automated Brute Force Protection
ArmorPro includes intelligent brute force protection with progressive lockouts, two factor authentication, XML RPC blocking, IP logging, and optional admin login notifications. Protection that works without slowing down your site or requiring ongoing maintenance.
Try ArmorProWhat Real Protection Looks Like
Effective brute force protection needs to handle all of these concerns simultaneously. Progressive lockouts that get longer for repeat offenders. XML RPC attack prevention without breaking legitimate uses. Automatic IP blocking for persistent attackers. Logging of all login attempts for security auditing. Optional notifications when suspicious activity occurs. Minimal performance impact on your site.
Building this yourself means writing hundreds of lines of code, testing edge cases, and maintaining it as WordPress evolves. For most site owners, this is not a practical use of time.
Best Practices
Regardless of how you implement protection, these fundamentals apply. Use strong passwords. A truly random 20 character password would take longer than the age of the universe to crack via brute force. Change the admin username. If you have a user called admin, attackers already know half the credentials. Enable two factor authentication. Even if an attacker guesses your password, 2FA stops them cold. Keep everything updated. Security vulnerabilities in outdated WordPress, themes, and plugins are often exploited alongside brute force attempts.
The Reality
Brute force attacks are simple, automated, and constant. They happen to virtually every WordPress site. The question is not whether you will be targeted. The question is whether you are protected when it happens.
The attackers are automated. Your protection should be too. That is why we built our plugin to handle this quietly in the background. You should not have to think about login security after you set it up.