Brute force attacks on WordPress involve mass login attempts with lists of popular passwords. In 2026, bots can perform thousands of attempts per minute. Here's step-by-step configuration that effectively protects wp-admin.

Step 1: Limit Login Attempts

Install Limit Login Attempts Reloaded or Wordfence. Set e.g. 4 failed attempts = 20 minute lockout. The lockout duration should be reasonable – too short annoys users, too long doesn't protect.

Step 2: IP Blocking and Geoblocking

Wordfence and Sucuri allow blocking countries from which you don't expect traffic. Optionally – block known TOR networks and proxy addresses used by bots.

The WPS Hide Login plugin changes /wp-admin and /wp-login.php to e.g. /my-secret-login. Bots typically target the standard address – after the change, most attacks miss.

Step 4: Enforce 2FA

Even with a leaked password – without the TOTP app code, the attacker cannot enter. Two-Factor or Google Authenticator for all accounts with admin privileges.

See full checklist: How to Secure WordPress in 2026

Step 1: Limit Login Attempts

Step 2: IP Blocking and Geoblocking

Step 3: Change Login URL

Step 4: Enforce 2FA