Hardening WordPress against spam and brute force attacks

You check your WordPress dashboard and see dozens of failed login notifications or a sudden flood of nonsensical comments. These are not random occurrences; they are targeted attacks by automated bots designed to either break into your site or use it for malicious purposes. The two most common threats you will face are brute force attacks, which try to guess your login credentials, and spam, which floods your site with unwanted content.

Fortunately, you are not powerless against these threats. This guide provides a comprehensive, multi-layered defence strategy. We will cover everything you need from recommended site hardening methods to combating spam and brute force attacks on WordPress sites, moving from simple fixes any beginner can implement to powerful, advanced techniques that will turn your website into a digital fortress.

• Fortify Your Login: Use strong, unique passwords and enable Two-Factor Authentication (2FA) immediately
• Limit Access: Install a security plugin to limit login attempts and consider changing your default login URL
• Block Bad Bots: Implement a Web Application Firewall (WAF) and use CAPTCHA or honeypots on all forms and comment sections
• Harden Your Core: Protect critical files like wp-config.php and .htaccess from public access
• Always Have a Plan B: Maintain a regular, automated off-site backup schedule as your ultimate safety net

Before building your defences, it is important to understand your enemy. While brute force attacks and spam may seem like different problems, they are often carried out by the same underlying technology: automated botnets. A security strategy that addresses one but ignores the other leaves a critical door open.

A Brute Force Attack is a digital battering ram. Bots systematically try thousands or even millions of username and password combinations until they find one that works. They often target the default WordPress login page (wp-login.php) and common usernames like “admin,” hoping to find an easy way in. Once inside, attackers can steal data, install malware, or use your server to launch other attacks.

WordPress Spam is any unwanted content submitted to your site, typically through comment sections and contact forms. The motive is usually to post malicious links, phish for user information, or simply overload your database and harm your site’s reputation. Because both threats rely on bots, many of the same defences—like IP blocking and traffic filtering—are effective against both.

These are the absolute basics. Implementing these three practices will dramatically improve your site’s security posture with minimal effort.

Your password is the first line of defence. A weak password is an open invitation to attackers. A strong password policy includes:

• Length and Complexity: Forget short, complex passwords that are hard to remember. Instead, use longer passphrases, which are sequences of words that are easy for you to recall but difficult for a computer to guess. Aim for at least 12-16 characters with a mix of uppercase letters, lowercase letters, numbers, and symbols.
• Uniqueness: Never reuse passwords across different websites. If one site is breached, attackers will use those stolen credentials to try to access your other accounts. This technique is called credential stuffing.
• Password Managers: The best way to manage unique, strong passwords for all your accounts is with a password manager like 1Password or Bitwarden. These tools generate and store your credentials securely, so you only have to remember one master password.

Two-Factor Authentication (2FA) is an essential second layer of security that protects your account even if your password is stolen. It requires two forms of verification to log in: something you know (your password) and something you have (a temporary code from your phone).

Always opt for an authenticator app like Google Authenticator or Authy instead of SMS-based 2FA. SMS codes can be intercepted through a technique called SIM-swapping, making app-based authentication a more secure choice. Many security plugins can help you easily add 2FA to your WordPress login page.

An outdated plugin or theme is one of the most common ways hackers gain access to a WordPress site. Updates are not just for new features; they often contain critical patches for security vulnerabilities that have been discovered.

• Enable automatic updates for WordPress core, especially for minor and security releases.
• Regularly check for and apply updates to your themes and plugins.
• Delete any themes or plugins you are not actively using. Even inactive software can be exploited if it contains a vulnerability, so it is best to remove it completely.

With the fundamentals in place, the next step is to actively lock down your login page and manage who has access to your site.

By default, WordPress allows users to try to log in an unlimited number of times. This makes it easy for brute force bots to guess passwords without consequence. A simple and highly effective countermeasure is to limit login attempts. After a set number of failed logins from a specific IP address, that IP is temporarily locked out, stopping the bot in its tracks. This is a core feature of most security plugins, including All In One Security (AIOS).

Attackers know that many WordPress sites have a user named “admin” and that the login page is located at /wp-login.php. Changing these defaults makes your site a harder target for automated bots.

• Change the “admin” Username: If you still have a user named “admin,” change it immediately. Since WordPress doesn’t let you change a username directly, the safest way is to create a new user with a unique name and Administrator privileges. Then, log in as the new user and delete the old “admin” account, making sure to attribute all its content to your new user.
• Change the Login URL: Hiding your login page by changing the URL from /wp-login.php to something unique like /my-portal makes your site invisible to most bots that are hard-coded to attack the default address. Security plugins can make this change with a single click.

The principle of least privilege is a core security concept that states users should only be given the minimum level of access required to perform their duties. Not everyone needs to be an Administrator.

Regularly audit your user accounts under Users > All Users in your dashboard. Assign appropriate roles (e.g., Editor, Author, Contributor) and delete any accounts that are no longer needed or have been inactive for a long time.

This section covers advanced techniques that provide the highest level of protection. While some are technical, a good security plugin can simplify their implementation.

The wp-config.php file is the heart of your WordPress installation. It contains your database credentials and security keys, and it should be protected at all costs.

• Move the File: WordPress allows you to move your wp-config.php file one directory level above your public root folder. This makes it inaccessible to web browsers and is a highly effective security measure.
• Set Correct Permissions: File permissions for wp-config.php should be set to 400 or 440. This makes the file read-only, preventing it from being edited by anyone, including you.
• Disable File Editing: Add the following line to your wp-config.php file to disable the built-in plugin and theme editor in the WordPress dashboard. This prevents attackers from injecting malicious code if they manage to gain admin access.

define('DISALLOW_FILE_EDIT', true);

The .htaccess file is a powerful server configuration file that lets you create security rules. Always back up your .htaccess file before making any changes, as a mistake can take your site offline.

• Protect wp-config.php: Add the following code to your main .htaccess file to block all web access to your configuration file.

<files wp-config.php>
order allow,deny
deny from all
</files>

• Disable Directory Browsing: Prevent visitors from seeing a list of the files in your site’s folders by adding this single line.

Options -Indexes

• Block PHP Execution in Uploads: Malicious users might try to upload a PHP script disguised as an image. You can prevent these scripts from running by creating a new .htaccess file inside your /wp-content/uploads/ directory with the following code.

<Files *.php>
deny from all
</Files>

Another lesser-known but important step is to prevent content sniffing, which stops browsers from misinterpreting files and reduces the risk of XSS attacks.

A Web Application Firewall (WAF) acts as a filter between your website and incoming traffic. It analyzes requests and blocks known attack patterns and malicious bots before they can reach your WordPress site. A WAF is your frontline defense against a wide range of threats, including SQL injections and cross-site scripting (XSS). WAFs can be plugin-based, running on your server, or cloud-based (like Cloudflare), filtering traffic at the network level.

File permissions determine who can read, write to, and execute files on your server. Incorrect permissions are a major security vulnerability. The recommended settings for WordPress are:

• Folders: 755
• Files: 644

These settings mean that only the owner of the files can write to them, while others can only read them. Under no circumstances should any file or folder be set to 777, as this gives anyone the ability to add, edit, and execute files on your server.

A hardened site must also defend against spam in comments and forms. This not only improves your site’s quality but also reduces server load from spam bots.

The first place to start is WordPress’s built-in settings. Navigate to Settings > Discussion and:

• Check the box for “Comment author must fill out name and email”
• Check the box for “Comment must be manually approved”
• Use the “Comment Blacklist” field to add common spam words, phrases, or IP addresses

For a more powerful, automated solution, a dedicated anti-spam plugin is essential. The Akismet plugin, which comes with most WordPress installations, is a popular choice. Comprehensive security plugins like AIOS also include robust spam prevention features that automatically filter out junk comments before you ever see them.

Spam bots do not just target comments; they also submit junk through contact, registration, and other forms on your site. Two techniques are highly effective at stopping them:

• Honeypots: This clever method adds a hidden field to your form that is invisible to human users but visible to bots. Since bots are programmed to fill out every field, they will fill in the honeypot field. The form submission is then automatically rejected because a human would have left it blank.
• CAPTCHA / reCAPTCHA: This is a simple test designed to prove the user is human. You have likely seen Google’s “I’m not a robot” checkbox. Modern versions are often invisible to the user and only present a challenge if suspicious behavior is detected. Many form plugins have this feature built-in, and security plugins can add it to login pages and comment forms.

A common mistake is treating security as a one-time setup. True hardening is a process. Start with 2FA, block brute force attacks with login attempt limits, then focus on what attackers can’t see: harden your wp-config.php and disable the file editor. This layered approach turns your site from a soft target into a walled fortress.

No security system is 100% impenetrable. A determined attacker, a software vulnerability, or even simple human error can cause problems. A reliable backup is your ultimate insurance policy, allowing you to quickly restore your site to a working state if the worst happens.

A best practice is the 3-2-1 rule: keep at least 3 copies of your data, on 2 different types of media, with 1 of those copies stored off-site. The best way to achieve this is with an automated, scheduled backup solution. A trusted plugin like UpdraftPlus, the world’s most popular scheduled backup plugin, makes it easy to automate complete backups of your site to a secure, off-site cloud location like Google Drive, Dropbox, or Amazon S3.

Securing your WordPress site against brute force attacks and spam is not about implementing a single, magic solution. It is about building layers of defence. By starting with the fundamentals like strong passwords and regular updates, then fortifying your login page, hardening your core files, and maintaining a reliable backup strategy, you create a robust security posture. This proactive, multi-layered approach transforms WordPress security from a source of anxiety into a manageable process, allowing you to protect your valuable digital asset with confidence.