How to stop brute-force of a site on wordpress?


Constantly trying to hack a wordpress site.
What did you do:

  • installed the Limit Login Attempts plugin, which blocks after the first incorrect login
  • renamed wp-login.php
  • blocked wp-admin folder in .htaccess: Deny from all

Anyway, reports from the plugin are constantly coming in:

1 unsuccessful authorization attempts (1 isolation (s)) from IP address:
User last attempt: admin

How to get around the absence of wp-login.php and blocking wp-admin?


  • You can use the plugin iThemes Security . In it, you can configure access only from a specific ip, ban for an incorrect login more than n times, and so on. It is very useful that you can simply change the login address from wp-admin to something of your own. However, there are many different good-quality functions, detailed articles where everything is described can be found enough.
  • You can also use the easiest way – the Clef plugin. In his settings, you can prohibit login through the password for the administrator and leave it possible to login only through the clef application on the smartphone. Even if the password from the administrator is entered correctly, it will be possible to log in only through the connected clef application on the smartphone.
  • Well, traditionally, you can simply connect the reCAPTCHA captcha. You can also find a lot of plugins that automate the process.
Scroll to Top