How to Protect WordPress from Brute Force Attacks

1. The Edge Defense: Cloudflare WAF

The most efficient way to stop a brute force attack is to ensure the request never even reaches your VPS.

• Rate Limiting: Set up a Cloudflare WAF (Web Application Firewall) rule to challenge or block any IP address that hits /wp-login.php more than 5 times in a minute.
• Turnstile/JS Challenge: Force automated bots to solve a non-interactive challenge before they can even see your login form.

2. Server-Level Banning: Fail2Ban

If an attacker gets past the edge, your server must act as the bouncer. Fail2Ban is the industry standard for this.

• The Logic: Fail2Ban monitors your NGINX or Apache access logs. When it sees repeated HTTP 200 or 302 responses on the login page from a single IP, it updates the system firewall (IPTables) to drop all packets from that IP.
• Benefit: This happens at the kernel level. The bot is blocked before it can even initiate a handshake with your web server.

3. Move the Entry Point

Bots are programmed to look for wp-login.php and wp-admin. By simply changing the login slug, you eliminate the vast majority of automated noise.

• The Fix: Use a lightweight plugin or a custom hook to change the login URL to something unique (e.g., /shf-portal).
• Note: This is “security by obscurity,” which isn’t a total solution, but it drastically reduces the load on your server from failed login attempts.

4. Disable XML-RPC

XML-RPC allows for “system.multicall,” which lets an attacker try hundreds of password combinations in a single HTTP request. This bypasses many standard login-limiting plugins.

• The Fix: If you aren’t using Jetpack, disable XML-RPC entirely.
• Code Snippet: add_filter( 'xmlrpc_enabled', '__return_false' );

5. Application-Level: Limit Login Attempts

As a final safety net, use a limit login attempts mechanism.

• User Lockdown: After 3 failed attempts, lock the specific username for 24 hours. This prevents “distributed” brute force attacks where a botnet uses multiple IPs to target a single account.
• 2FA (Two-Factor Authentication): For all admin accounts, enforce 2FA (TOTP). Even if an attacker guesses the password, they cannot bypass the secondary token.