WordPress brute force attacks – do you need to worry?

Brute force attacks are one of the most common threats facing WordPress sites. If your WordPress security plugin has been flagging these attempts, you’re not alone — and the good news is that the risk is very manageable with the right precautions in place.

What is a brute force attack?

A brute force attack is when an automated bot repeatedly tries username and password combinations against your WordPress login page, hoping to stumble onto the right credentials. These bots operate at scale, hammering thousands of sites simultaneously — your site isn’t being singled out; it’s simply being swept up in a constant, internet-wide campaign.

Common targets include the standard /wp-login.php and xmlrpc.php endpoints. The attacks are largely opportunistic and are carried out by automated tools rather than human hackers.

We already have protection in place

💡 All of our hosting services include brute force protection at the server level. This means the vast majority of malicious login attempts are blocked before they even reach your WordPress site.

Our infrastructure-level protections include:

• Rate limiting — repeated failed login attempts from the same IP are throttled and blocked automatically.
• IP reputation filtering — known malicious IPs are blocked at the network edge before reaching your site.
• Firewall rules — suspicious traffic patterns targeting WordPress login endpoints are intercepted and dropped.

Why is my security plugin still showing alerts?

Even with server-level protection, your WordPress security plugin may still log and alert you to attempted logins. This is completely normal. Security plugins operate at the application layer and will often catch and report attempts that slip through early filtering, or that originate from distributed sources (many different IPs, each making just a few attempts).

👉 Seeing brute force alerts in your security plugin is a sign that your defences are working — not that your site has been compromised. Blocked attempts mean the system is doing its job.

Brute force attempts are an everyday occurrence across the web. The WordPress platform powers over 40% of all websites, making it a constant target. Receiving these alerts is the norm, not the exception.

Keeping your risk extremely low

While no protection is 100% foolproof, two measures dramatically reduce the risk of a brute force attack ever succeeding:

• Use a strong, unique password — a long, randomly generated password makes guessing essentially impossible. A password manager can help you create and store one securely.
• Enable Two-Factor Authentication (2FA) — even if an attacker somehow obtained your password, 2FA means they still can’t log in without your second factor (such as a one-time code from an authenticator app).

⚠️ Focus on successful logins, not failed ones. Failed login attempts are routine noise — they should be monitored, but not cause for alarm. What matters is being alerted about successful logins you don’t recognise. Configure your security plugin to prioritise notifications for successful authentications so you can act quickly if a real breach occurs.

Recommended 2FA plugins for WordPress

The following free, open-source plugins are community-maintained and widely trusted for adding two-factor authentication to your WordPress site:

• Two Factor (by WordPress.org contributors) — the official community plugin for 2FA, maintained by WordPress core contributors. Supports TOTP (Google Authenticator, Authy, etc.), email codes, FIDO U2F security keys, and backup codes. Lightweight, no upsells, and fully open source.
• WP 2FA (by Melapress) — a user-friendly 2FA plugin with a setup wizard that makes it easy to roll out to all users on your site. Supports TOTP authenticator apps and email-based codes on the free tier. Well-documented and actively maintained.

💡 Both plugins are free, available directly from the WordPress.org plugin directory, and require no paid subscription to use the core 2FA functionality.