WordPress Under Brute-Force Login Attacks
Bots are hammering your WordPress login page with password guesses, slowing or locking your site.
Common signs of this issue
- Your site is suddenly slow or briefly unavailable at random times.
- A security plugin or your host emails about 'too many failed login attempts'.
- Logs show endless requests to wp-login.php or xmlrpc.php from many addresses.
- You get locked out by your own security plugin after failed attempts you didn't make.
Safe checks you can do yourself
None of these require sharing passwords with anyone.
- Make sure every admin account uses a long, unique password and that there is no account literally named 'admin'.
- Turn on two-factor authentication and limit login attempts (most security plugins do both).
- Ask your host whether they offer login protection or a web application firewall — many include it free.
- Consider putting the login page behind an extra check (for example, Cloudflare) so bots never reach wp-login directly.
- Confirm WordPress, plugins, and themes are up to date, since attackers target known holes.
What this usually means
Constant brute-force traffic is normal background noise for WordPress sites — bots automatically try common passwords on every site they find. By itself it does not mean you are hacked, but heavy waves can slow your server, and a weak password could eventually be guessed.
The aim is to make guessing futile (strong passwords plus two-factor) and to stop the bots before they reach the login page (rate-limiting plus a firewall).
What not to do
- Don't rely on a weak or reused password and hope the attacks stop on their own.
- Don't disable security plugins to 'speed things up' during an attack.
- Don't share your admin login while troubleshooting — legitimate help does not need it up front.
When to get help
If attacks are knocking your site offline, or you suspect a login may have succeeded, get help promptly — a professional can lock down logins and confirm nothing was breached. If there are signs of an actual compromise, treat it as urgent.
Not sure what to do next?
Answer a few short questions and we'll point you to the safest next step — DIY, a freelancer, or a direct review. No passwords required.
Is this a business website? If this issue may be costing you leads, sales, or trust, you may want a direct review instead of trial and error.
Frequently asked questions
Does constant brute force mean I'm hacked?
Not on its own — it's automated background noise nearly every WordPress site sees. It becomes urgent if a login succeeds or the site shows signs of compromise.
What's the single best protection?
A long, unique password plus two-factor authentication on every admin account. That combination defeats password guessing even when the attempts never stop.