What are brute force login attacks?

     A Brute-force attack is an attacker which tries many usernames and passwords with the hope of eventually guessing correctly. It checks all possible passwords until the correct one is found. 

     A brute force attack is a trial-and-error method used to identify information such as a user password or personal identification number (PIN). It uses automated software is used to generate a large number of consecutive guesses.

     It may be used by criminals to hack the encrypted data, or even by the security analysts to test an organization’s network security.


How does it Works?

     Brute force attacks work by calculating every possible combination that could make up a password and test it until the correct one is found.

     If the length of the password increases, the amount of time on average, to find the correct password also increases exponentially. This shows that short passwords can be discovered easily, but longer passwords are not identified easily.

Indications of Brute force attack:

  • Many failed login attempts.
  • Logins with multiple username.
  • Login from a single user with different IP adresses.
  • Logins with a refeering URL.
  • Logins with suspicious passwords.
  • Excessive usage and bandwidth consumption.


You can use this to prevent hackers from breaking into the website. But still, the issues are not getting resolved completely.

Code 1 :

<IfModule mod_rewrite.c>

 RewriteEngine on

 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

 RewriteCond %{REMOTE_ADDR} !^$

 RewriteRule ^(.*)$ – [R=403,L]



Ways to Secure Websites against Brute Force Attacks

  • Have strong login credentials.
  • Strong passwords and complex usernames.
  • Provide emails instead of usernames.
  • Don’t use the admin username for creating new accounts.
  • Use plugins to limit the number of login attempts.
  • Two-factor authentication for wp-admin.
  • Protect your server.
  • Password protect wp-admin or wp-login.php
  • Limit access to WP-admin based on IP.
  • Deny access to no refer requests.
  • Use Block lists.
  • Allow login only from certain IP addresses.



  • It’s actually an XML-RPC attack
  • It’s possible for us to block  the access for xmlrpc.php in .htaccess or your Nginx virtual host.
  • If CloudFlare is used,  then you can create a page rule by forcing the DDoS protection for xmlrpc.php and wp-login.php


Using  the .htaccess block Bruteforce 

 # Block WordPress xmlrpc.php requests

Code 2 :

 <Files xmlrpc.php>

   order deny,allow

   deny from all



# Disable XMLRPC with mu-plugin


# You can do with htaccess, then add Move Login



  • To make it sure, Check the access logs.
  • If not using XML-RPC at all, you can block the access with .htaccess
  • Without your knowledge, Some plugins may use XML-RPC.
  • To make it sure,  check whether it’s working fine even after blocking it.
  • Partial access can still be allowed while blocking attacks by using ‘xmlrpc_enabled‘ or ‘xmlrpc_methods‘ filters. ‘xmlrpc_enabled’ disables anything requiring authentication when a filter callback returns false. ‘xmlrpc_methods’ allows you to stop specific methods from being used.
  • If the Sucuri plugin you’re referring to is that won’t block brute force attacks. It’s more for helping you to close common vulnerable areas, scanning for malware, and informing you of intrusions. You’ll need to be a member of Sucuri’s paid CloudProxy service to get brute force protection from them.
  • Brute force attacks are a fact of the web, just like comment spam. They’re all carried out by bots that look for wp-login.php and xmlrpc.php, and try common usernames/passwords. If your plan is to manually block by IP, you’ll wind up doing that far more than blogging.
  • If you’re already using the Jetpack plugin switch on the Protect module which blocks brute force attacks:
  • Try Limit Login Attempts, which does the same, and despite its age still works great:


I hope this article helps you in some way!

Leave a Reply

Your email address will not be published. Required fields are marked *