Introduction
A brute force login attack means attackers are hammering WordPress authentication with repeated password guesses. The site may still be online, but the risk is not only nuisance traffic. The real danger is one weak account, one reused password, or one poorly protected admin login.
Symptoms
- Login attempts spike in WordPress or hosting logs
- Rate-limit or security tools show repeated failed logins from many IPs
- CPU or PHP workers rise because
/wp-login.phpis hit constantly - Users report lockouts, suspicious reset emails, or slow login pages
- Unknown successful logins may appear after extended attack windows
Common Causes
- Weak or reused passwords on admin accounts
- No rate limiting, CAPTCHA, or additional authentication on login flows
- XML-RPC or login endpoints remain broadly exposed without controls
- Botnets distribute attempts across many IP addresses
- Old compromised credentials are being replayed against active accounts
Step-by-Step Fix
- Review authentication logs to determine whether the attack is only failing or whether any suspicious successful logins already occurred.
- Reset passwords for all privileged users and require strong unique credentials immediately.
- Enable stronger authentication controls such as two-factor authentication and sane rate limiting for login attempts.
- Restrict or harden XML-RPC and other auxiliary auth endpoints if they are not required for your workflow.
- Use firewall or bot protection rules to slow or block the abusive traffic without locking out legitimate users.
- Check for unexpected admin accounts, plugin changes, or session tokens in case the attack already succeeded before you noticed it.
- Monitor server load and login performance to ensure the attack is not degrading the site even if credentials remain safe.
- Re-test real admin login flows so the added protections do not break normal access.
- Keep alerting on suspicious login spikes and privileged account changes so future attacks are detected early.