Bruteforce attack against wp-login.php is very common issue and
many users has been affected by this. In this scheme of attack,
the attacker is brute-force attacking the WordPress administrative
portals, using the username “admin” and trying thousands
of passwords using any configured botnets.
– In order to secure your WordPress against the attack, you might
consider the following :
* Changing the administrative username from the standard
‘admin’ to any less obvious ones.
* Upgrading the password to a much stronger one,
perhaps around 10 or 12 characters.
– There are also some plugins which can be used to limit the number of login attempts made on your site, or block people from accessing
wp-admin.
–> https://wordpress.org/plugins/limit-login-attempts/
– You can also use .htaccess rules to deny the connections from any
unwanted IP’s and allow just your’s. If you have a static IP, you can
give it or if it is a dynamic one with a common range, specify
it using the netmask.
Contents of .htaccess file may look like :
order deny,allow
allow from x.x.x.x (
– You can also use mod_security if its enabled with Apache configuration.