If you run a WordPress website, there is almost certainly an automated bot somewhere in the world trying to log into it right now. That is not alarmism — it is a statistical certainty. WordPress powers an estimated 43% of all websites, which makes /wp-login.php one of the most targeted URLs on the entire internet.
What Is a WordPress Brute Force Attack?
A brute force attack on your WordPress login is exactly what it sounds like: an automated tool repeatedly attempts to log in to your site, cycling through common usernames (admin, administrator, your business name) and passwords from lists of frequently used or previously leaked credentials.
A more sophisticated version is called a credential stuffing attack, where the attacker uses username and password combinations leaked from other data breaches. If you or any of your users have ever reused a password from another site that was breached — and statistically, most people have — that password may already be on one of these lists.
Brute force bots do not need to be fast to be effective. Even at a few attempts per minute, they can cycle through thousands of common passwords over hours or days without triggering basic defences.
What Happens If a Bot Gets In?
A successful login to your WordPress admin panel gives an attacker full access to your site:
Full website control. They can install malicious plugins, modify theme files, create backdoors, and redirect visitors to phishing or malware sites.
Access to customer data. If your site stores customer email addresses, order history, contact form submissions, or any other personal data, it is all accessible through the admin panel.
A platform for further attacks. Compromised WordPress sites are routinely used to send phishing emails, host malware, and participate in DDoS attacks against other websites — using your hosting resources and damaging your domain’s reputation.
SEO destruction. Attackers often inject spam links or redirect your pages to unrelated sites. Google may blacklist your domain, destroying years of SEO work. Google’s Safe Browsing list blacklists approximately 10,000 websites per day, and WordPress compromises are a significant contributor.
The Scale of the Problem
Wordfence, a leading WordPress security company, operates a firewall across millions of WordPress sites. Their 2023 threat report documented billions of malicious login attempts blocked each month. In 2021, a coordinated campaign targeted over 1.6 million WordPress sites in a single day.
The XML-RPC endpoint is a related risk: it accepts login credentials independently of your main login page and often bypasses login protection plugins entirely. If you have not addressed it, see our post on WordPress XML-RPC attacks.
Eight Steps to Protect Your WordPress Login
The good news is that WordPress login security is well understood and the defences are straightforward:
1. Change the default admin username. Never use admin. Create a new administrator account with a non-obvious username, then delete the original.
2. Use a strong, unique password. A randomly generated 20-character password defeats brute force attacks entirely. Use a password manager.
3. Enable Two-Factor Authentication (2FA). Even if an attacker has your password, they cannot log in without the second factor. Plugins like WP 2FA or the 2FA feature in Wordfence add this in minutes.
4. Limit login attempts. Configure your platform to lock out IP addresses after a small number of failed attempts. Wordfence, Solid Security, and Loginizer all do this. Even five failed attempts before a temporary lockout dramatically slows attacks.
5. Change your login URL. Move /wp-login.php to a custom path using a plugin like WPS Hide Login. This eliminates the vast majority of automated bots that only try the default path.
6. Use a Web Application Firewall (WAF). Cloudflare’s free tier provides significant protection, and Wordfence includes a WAF in its free plugin. A WAF blocks known malicious IP addresses before they reach your login page at all.
7. Keep everything updated. WordPress core, themes, and plugins should always run the latest versions. A significant proportion of WordPress compromises exploit known vulnerabilities in outdated plugins.
8. Disable XML-RPC if you do not use it. This is a separate API endpoint that also accepts login credentials and can bypass your login-page protections. See our dedicated post on WordPress XML-RPC security.
None of these measures requires technical expertise. Most can be completed in under an hour via the WordPress admin panel using free plugins.
W3IT’s free security check checks whether your WordPress login page is exposed, whether XML-RPC is enabled, and highlights other common WordPress security issues. Run it now — the bots are not waiting.