How to protect your Site from Brute force attacks?

Hackers can upload malicious malware using brute force attacks. It can cause your site to become inaccessible. Use the following methods to protect your site from brute force attacks.

  1. By installing a Firewall Plugin
  2. By Updating WordPress and Plugins
  3. by securing WordPress Admin Directory
  4. By adding/enabling Two-Factor Authentication
  5. By using strong Random Passwords
  6. By disabling Directory Browsing for WordPress
  7. By disabling PHP File Execution for some WordPress Folders
  8. By Installing a Backup Plugin

Let’s get into each of these points one by one.

1. By installing a Firewall Plugin

Brute force attackers first send a request to your server to hack it. But you can filter and separate these requests before they reach the server. The request can be separated by the use of plugins in your WordPress site. You can use any of the firewall solutions given below.

  • Application-Level Firewall
  • DNS-Level Firewall

Both of these solutions are good. But DNS level firewall is better and costlier. If you cannot afford a paid version of the plugin then you can use the free version of the plugin. 

2. By updating WordPress and Plugins

   If you are using an older version of WordPress or the plugins then you are at a greater risk of being hacked. So update WordPress and all of your plugins more often.

3. By securing the WordPress Admin Directory

        The WordPress admin area is the victim of most of the brute force attacks. To counter it you can add password protection to the WordPress admin (wp-admin) directory. By doing so, you block access to unauthorized users to the WordPress admin area.

  You can add a password to the wp-admin directory from your control panel. To do this, first access the wp-admin directory of your WordPress website, then enable password protection for it.

After this step, you can get various error messages and redirects. To avoid this go to your WordPress .htaccess file and add the code given below:

ErrorDocument 401 default


4. By adding Two-Factor Authentication

To add an extra layer of security and to decrease the risk of brute force attacks, you can enable two-factor authentication. By the use of two-factor authentication, a password will be generated every time you log into your WordPress admin area. Users have to enter a one-time password along with the login credentials while logging into the WordPress admin area.

5. By using strong Random Passwords

Use a strong password to prevent any kind of hacking into your website.

Do not use personal information like birth dates, names, contact numbers, etc. as passwords, as it is risky to do so.

Create a unique password that is a random combination of numbers, letters, and special characters. It is by far the best way to protect your website from hacking.

6. By disabling Directory Browsing for WordPress

In some cases, your web server cannot locate an index file (index.php or index.html). As a default response, the webserver then takes the visitor to an index page. The index page shows the contents of the web directory.

To launch their brute force attack, the hackers may search for vulnerable files with directory browsing

To fix this, you have to edit your WordPress .htaccess file and add the following line at the bottom:


Options -Indexes


7. By disabling PHP File Execution for some WordPress Folder

    One of the ways to initiate brute force attacks is by running PHP scripts on a web server. By installing a PHP script in the WordPress folder of your website hackers can hack your site.

It is not advisable to disable all the malicious scripts on WordPress, as it works on PHP. But, you can disable PHP execution in the uploads folder without disrupting the functions of your WordPress website.

To Disable PHP Execution

  •  First, open a text editor (for example, Notepad) on your computer.
  •  Enter the following code:


<Files *.php>
deny from all



  • Then, save it as .htaccess
  •  In the end, open the FTP client and upload it to /wp-content/uploads/ folder on your website.                                                                                          
     8. By installing a Backup Plugin

      If a hacker manages to get into your website, then the worst thing he/she can do is delete all of your data. So it will be better for you if you back up your data at the earliest. You can do backups of your data from the hosting service provider or you can install a backup plugin.

 To reduce the risk of a brute force attack, take all the precautionary measures given above, and before the hacker manages to get through your website make sure you have backed up your crucial data.


Did you find this article useful?