← ServerPilot Docs

How to Block Brute Force Attacks in WordPress

A brute force attack on WordPress occurs when an attacker attempts to log in to WordPress by trying a large number of common passwords.

Several services and WordPress plugins are available to help protect your site from such attacks, and they can be installed from the plugin repository.


Wordfence Security is one of the most popular security plugins for WordPress. It is a free security plugin that includes a firewall, virus scanning, and real-time traffic monitoring with geolocation. Along with these features, Wordfence offers protection from brute force attacks.

Protect (formerly BruteProtect)

Protect is part of WordPress's Jetpack plugin that provides brute force attack prevention by tracking failed login attempts across all Jetpack installations and blocking any IP that has too many failed login attempts.


NinjaFirewall is a free web application firewall that is installed as a plugin on WordPress. Once installed, you can configure your brute force protection from its Login Protection screen on your WordPress Dashboard.


On top of its content delivery network, CloudFlare allows its free users to block visitors by IP range. Paid accounts can use its web application firewall, as well as other custom rules, to further protect against brute force attacks.

Launch your first site in 5 minutes