{"id":1013,"date":"2026-03-27T08:44:04","date_gmt":"2026-03-27T08:44:04","guid":{"rendered":"https:\/\/www.jolt.co.uk\/help\/wordpress-brute-force-attacks-do-you-need-to-worry\/"},"modified":"2026-03-27T08:44:54","modified_gmt":"2026-03-27T08:44:54","slug":"wordpress-brute-force-attacks-do-you-need-to-worry","status":"publish","type":"post","link":"https:\/\/www.jolt.co.uk\/help\/wordpress-brute-force-attacks-do-you-need-to-worry\/","title":{"rendered":"WordPress brute force attacks \u2013 do you need to worry?"},"content":{"rendered":"\n<p>Brute force attacks are one of the most common threats facing WordPress sites. If your WordPress security plugin has been flagging these attempts, you&#8217;re not alone \u2014 and the good news is that the risk is very manageable with the right precautions in place.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is a brute force attack?<\/h2>\n\n\n\n<p>A brute force attack is when an automated bot repeatedly tries username and password combinations against your WordPress login page, hoping to stumble onto the right credentials. These bots operate at scale, hammering thousands of sites simultaneously \u2014 your site isn&#8217;t being singled out; it&#8217;s simply being swept up in a constant, internet-wide campaign.<\/p>\n\n\n\n<p>Common targets include the standard <code>\/wp-login.php<\/code> and <code>xmlrpc.php<\/code> endpoints. The attacks are largely opportunistic and are carried out by automated tools rather than human hackers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">We already have protection in place<\/h2>\n\n\n\n<p class=\"banner-note\">\ud83d\udca1 All of our hosting services include brute force protection at the server level. This means the vast majority of malicious login attempts are blocked before they even reach your WordPress site.<\/p>\n\n\n\n<p>Our infrastructure-level protections include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Rate limiting<\/strong> \u2014 repeated failed login attempts from the same IP are throttled and blocked automatically.<\/li>\n\n\n\n<li><strong>IP reputation filtering<\/strong> \u2014 known malicious IPs are blocked at the network edge before reaching your site.<\/li>\n\n\n\n<li><strong>Firewall rules<\/strong> \u2014 suspicious traffic patterns targeting WordPress login endpoints are intercepted and dropped.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Why is my security plugin still showing alerts?<\/h2>\n\n\n\n<p>Even with server-level protection, your WordPress security plugin may still log and alert you to attempted logins. This is completely normal. Security plugins operate at the application layer and will often catch and report attempts that slip through early filtering, or that originate from distributed sources (many different IPs, each making just a few attempts).<\/p>\n\n\n\n<p class=\"banner-tip\">\ud83d\udc49 Seeing brute force alerts in your security plugin is a sign that your defences are <em>working<\/em> \u2014 not that your site has been compromised. Blocked attempts mean the system is doing its job.<\/p>\n\n\n\n<p>Brute force attempts are an everyday occurrence across the web. The WordPress platform powers over 40% of all websites, making it a constant target. Receiving these alerts is the norm, not the exception.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Keeping your risk extremely low<\/h2>\n\n\n\n<p>While no protection is 100% foolproof, two measures dramatically reduce the risk of a brute force attack ever succeeding:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use a strong, unique password<\/strong> \u2014 a long, randomly generated password makes guessing essentially impossible. A password manager can help you create and store one securely.<\/li>\n\n\n\n<li><strong>Enable Two-Factor Authentication (2FA)<\/strong> \u2014 even if an attacker somehow obtained your password, 2FA means they still can&#8217;t log in without your second factor (such as a one-time code from an authenticator app).<\/li>\n<\/ul>\n\n\n\n<p class=\"banner-warning\">\u26a0\ufe0f <strong>Focus on successful logins, not failed ones.<\/strong> Failed login attempts are routine noise \u2014 they should be monitored, but not cause for alarm. What matters is being alerted about <em>successful<\/em> logins you don&#8217;t recognise. Configure your security plugin to prioritise notifications for successful authentications so you can act quickly if a real breach occurs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommended 2FA plugins for WordPress<\/h2>\n\n\n\n<p>The following free, open-source plugins are community-maintained and widely trusted for adding two-factor authentication to your WordPress site:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/wordpress.org\/plugins\/two-factor\/\" target=\"_blank\" rel=\"noreferrer noopener\">Two Factor<\/a><\/strong> (by WordPress.org contributors) \u2014 the official community plugin for 2FA, maintained by WordPress core contributors. Supports TOTP (Google Authenticator, Authy, etc.), email codes, FIDO U2F security keys, and backup codes. Lightweight, no upsells, and fully open source.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/wordpress.org\/plugins\/wp-2fa\/\" target=\"_blank\" rel=\"noreferrer noopener\">WP 2FA<\/a><\/strong> (by Melapress) \u2014 a user-friendly 2FA plugin with a setup wizard that makes it easy to roll out to all users on your site. Supports TOTP authenticator apps and email-based codes on the free tier. Well-documented and actively maintained.<\/li>\n<\/ul>\n\n\n\n<p class=\"banner-note\">\ud83d\udca1 Both plugins are free, available directly from the WordPress.org plugin directory, and require no paid subscription to use the core 2FA functionality.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Brute force attacks are one of the most common threats facing WordPress sites. If your WordPress security plugin has been flagging these attempts, you&#8217;re not alone \u2014 and the good news is that the risk is very manageable with the right precautions in place. What is a brute force attack?&hellip;<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,18],"tags":[],"class_list":["post-1013","post","type-post","status-publish","format-standard","hentry","category-security","category-wordpress"],"_links":{"self":[{"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/posts\/1013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/comments?post=1013"}],"version-history":[{"count":1,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/posts\/1013\/revisions"}],"predecessor-version":[{"id":1014,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/posts\/1013\/revisions\/1014"}],"wp:attachment":[{"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/media?parent=1013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/categories?post=1013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/tags?post=1013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}