WordPress Login protection from brute force attacks

by | Plugins, Security

Your WordPress login page is open to abuse

Most users of WordPress don’t give a second thought to this fact and until the day comes when a website has been hacked into and goes offline but most WordPress websites have a major security weakness by default.

2 facts you might not have considered

  1. by default the same username ‘admin’ is used for every single WordPress installation.
  2. there is no limit to the number login attempts to a WordPress website

What this means is the hackers out there already have the first piece of the puzzle to access your website, the exact username. Then all they need to do is run a program that tries thousands or millions for that matter of password combinations, know as a brute force attack, until they work out yours. There is nothing to stop them continuously trying to get in to your website.

2 things you can easily do to reduce this risk

  1. create a new username with administrator privileges and delete the admin user. (I believe thankfully in WordPress 3.0 you will have the option to create a unique administrator level user at the point of installing WordPress so all of these admin users should be reduced from that release forward.)
  2. install a plugin that limits the number of incorrect login attempts

The plugin(s) I recommend to deal with this issue

Limit Login Attempts – http://wordpress.org/extend/plugins/limit-login-attempts/

It is really easy to install and gives you the option to be emailed after a certain number of failed login attempts.

Also you can set how many attempts can be made before the username is locked out and the more consistent the attempts the longer the lockout period.


I highly recommend getting your new administrator username other than ‘admin’ before using this plugin or you could be locked out yourself if hackers keep attempting to login to using the admin username and that all you have to access your website.



Google Authenticator – http://wordpress.org/extend/plugins/google-authenticator/

Now this one can be used in conjunction with the limit login attempts plugin. 

This is a beautiful piece of security to give you peace of mind and two factor authentication.

Once installed on your website you then install the Google Authenticator App on your iphone ( view iphone app here ) or Android phone (view Android app here) which generated a unique code every 30 seconds for your login. 

This means that even if someone managed to guess your username and password they will never guess the 3rd item

To setup is very easy if you follow the basic steps correctly.

  1. Install the WordPress Plugin – Google Authenticator – http://wordpress.org/extend/plugins/google-authenticator/


  2. Go to your profile page and under the Google Authenticator setting put in a description. Use NO SPACES or it won’t work. Eg JohnSmithsBlog
  3. Click on Show/Hide QR code
    User Profile entry on Google Authenticator WordPress plugin
  4. Install the iPhone version or Android version  of Google Authenticator app
    Google Authenticator Iphone app
  5. Add new token and click on Scan Barcode
    scan barcode
  6. Now the app will generate a new code every 30 seconds
    authentication code on iphone app
  7. Use the current code on your iphone or android app at the time of login
    new WordPress  login screen
  8. That’s all you have to do. Just remember you will need to view the app on you iphone or android device every time you login to get the code. How secure it that!
    Good luck and I hope you enjoy using this plugin as much as I do!
The WP Guy - Tony Cosentino

The WP Guy

Here to help with many areas of your WordPress needs.

The WP Guy

Website Health Check

Thorough audit of your WordPress website.

The WP Guy

Ongoing Support

Let me take care of the Website stuff so you can focus on what you do best.

The WP Guy

WordPress Training

- One-on-one WordPress training via zoom

- In-house group training