Prevent server performance issues caused by WordPress brute force attacks

25% of all CMS (content management system) based websites on the internet are running on WordPress, which in numbers translates to over 60 million websites. This makes WordPress a very sweet target for attackers and script kiddies who like to test and scan it for vulnerabilities or use various tools so they can perform brute force attacks on the dashboard login page in order to get access.

The first clue of something suspicious happening in your environment is unusual high CPU loads on your server. You can check your CPU usage history if you are using some kind of control panel or check for your access logs. Brute force attacks can last from minutes to hours, and are always causing high CPU loads on the server which can bring down your website on their knees or make it totally unresponsive.

After inspecting the access logs from a website belonging to a client of mine, I’ve noticed the very usual pattern of a brute force attack on the WordPress login page: [02/Sep/2014:18:36:17] “POST /wp-login.php HTTP/1.0” 200 [02/Sep/2014:18:36:19] “POST /wp-login.php HTTP/1.0” 200 [02/Sep/2014:18:36:32] “POST /wp-login.php HTTP/1.0” 200 [02/Sep/2014:18:36:33] “POST /wp-login.php HTTP/1.0” 200 [02/Sep/2014:18:36:34] “POST /wp-login.php HTTP/1.0” 200

This attack lasted for more than an hour, and from the access log we can see that the IP address is sending POST requests to wp-login.php. Usually these attacks come from automated tools who are trying to login with the username “admin” while trying different password combinations. That’s why it is highly recommended to use very strong passwords and delete or rename the WordPress “admin” account.

You can find the usual recommendations for stopping these kind of attacks in the WordPress codex. They range from password protecting the wp-login page with modifying the .htaccess file, limiting access to a single IP address or using various security plugins. Following these recommendations can improve the security of your website, but in many cases that won’t be enough to stop the automated tools accessing the wp-login page.

The only useful solution I found is a very simple trick which I guarantee will stop all the brute force attacks on your website.

Step 1: Access your live WordPress installation through FTP and go ahead and rename the wp-login.php file to wp-login-something.php.

Step 2: Open the renamed file with a text or code editor, and search for all “wp-login.php” entries and replace them with “wp-login-something.php” and save it.

Step 3: Create an empty file called “wp-login.php” and save it.

That’s it. You can now access your login page by going to When automated tools or bots try to brute force the wp-login page, they’ll hit and empty page and the server won’t respond in any way. Now no one will know your secret URL except you.