How to Protect Your WordPress Sites from Brute Force Attacks (1 Simple Step) - ManageWP

How to Protect Your WordPress Sites from Brute Force Attacks (1 Simple Step)

Photo Credit: Davide Restivo

If you keep up to speed with the latest WordPress news you will already know that the world’s favorite content management system was recently hit with a botnet of “tens of thousands” of computers, according to ZDNet.

What is more concerning is that some experts are suggesting that the worst is yet to come. With that in mind, now would be as good a time as any to improve the security of your WordPress site.

We have spoken about security before here on the ManageWP blog, but in this post I want to show you how you can dramatically improve the security of your WordPress sites with ManageWP in seconds.

Keeping It Simple

In a recent post on his personal blog, Matt Mullenweg was quick to play down the sensationalistic aspect of the botnet story and remind people that two simple adjustments can result in a blog that is “99%” more secure than others: changing your username and password.

While we would definitely recommend you changing your username if it is still the default “admin,” setting a truly random password is likely to repel any brute force attempt at accessing your site. By truly random I mean a password that shares the following attributes:

The simple fact is that if your password is “hS8D&@nnP2″ rather than “password” or something similarly obvious, a brute force attempt at cracking your site is far more likely to result in failure.

How to Change Your WordPress Passwords with ManageWP

Knowing that you should change your passwords is one thing — changing them is another. If you have a large network of sites then the job could be more than just a simple chore. Fortunately, with a subscription to ManageWP’s Professional Package, the process can be simplified greatly.

First, log into your ManageWP account and select Manage > Users from the drop down menu:

Manage > Users drop down box.

On the following screen you can choose which user types and websites to be included in your filter:

Password change screen.

I would recommend that you select all user types apart from “Subscriber.”

ManageWP will now generate a list of users across all of your sites:

WordPress user profiles table.

Check all of the relevant users then select “Change password” from the drop down box at the bottom of the page. You can then choose a new, random and unique password:

WordPress password change option.

In just a few seconds the passwords will be changed.

That’s it! With this feature it is possible to change all of your passwords in just a few seconds. If you have any questions or comments please fire away in the comments section.

Tom Ewer

Tom Ewer is the founder of He has been a huge fan of WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he's not working, you're likely to find him outdoors somewhere – as far away from a screen as possible!


  1. Atinder

    Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

  2. terence.milbourn

    One thing that seems to be regularly overlooked is the fact that many cheap hosting servers have very poor site isolation and often sites are attacked through somebody else ~ on a totally different site on the same server ~ not protecting ‘their’ site.

    I un-hack and move about 10 to 15 sites every month from vulnerable cheap shared hosting to secure VPS webservers where they NEVER get hacked again.

    If you pay $4.95 /mo for hosting, or bought a cheap annual hosting deal, why would you be surprised if your site gets hacked?

    Its beyond me.


  3. ScRiPtprompt1ScRiPt


  4. boundlessdata

    I’m more concerned with how to stop the attempts than I am about them actually breaking in. The repeated attempts suck the resources out of our virtual server until none of our website will respond. Simply changing your password will not stop that and neither will the security plugins we have seen so far.

  5. Kelli Jae Baeli

    Hate to be the bearer of bad news, but this did nothing to prevent these attacks on my site. it still happens about every 2 weeks. In fact I am doing an instant support chat RIGHT NOW with my host to try to get my blog back up. So it’s not as simple as the password.

  6. Jared

    I just wanted to add that a great tool for checking password strength is

    1. Tom Ewer

      Thanks for the suggestion Jared! I personally love using LastPass to generate passwords:

  7. Emagin

    This plugin makes it so easy:

  8. Simmons

    A good username/password is only part of the solution. It seems to me the real issue is the amount of bandwidth that is taken up on some of these brute force attacks. I’ve had my site, which is on a VPS, go down because of that. It’s terribly frustrating. I’m using a couple plugins to help, and wish I would have started with the plugin (Better WP Security, or something) that moves the login page to begin with. Seems to me that’s the best way to stop these, on the line of thinking that the brute force attackers couldn’t find the login page to begin with. WordPress’s next major version needs to work on a dynamically generated login page to truly solve the problem.

    1. Tom Ewer

      Hi Simmons,

      I agree and think that WordPress should be doing a lot more to the core in terms of strengthening security, but then I am only a layman and don’t understand the complexities involved in doing so.



  9. Mike

    Thanks for the post ive updated all my passwords and added login lockdown plugin which is a free option that seems to get a good review and do the job!

    1. Tom Ewer

      I’ve heard good things Mike — I’m sure it can’t hurt!

  10. Reuben

    Me and my hosting company has been having a tough time during the last few days due to an apparent attack. This is a recurring issue since my sites have been hacked a few times before and they managed to resolve the issues.

    I guess we need a better security solution. I bought tons on security plugins but seems I wasted money because the attacks seem to pass through somehow.

    I made it a routine to change my password every month. I like Dynasites method and will try to implement it.

    Thanks for this post.

    1. Tom Ewer

      No problem Reuben :-)

  11. Harsh Agrawal

    Another easy way is to change the default login “admin” to something custom. One can use plugin like better WP security to do so…

    1. Tom Ewer

      Yep — changing the username from the default is a very good idea.

  12. Susan

    I used this feature on Monday to change just my own user password across all of my sites. It worked on most, but two sites had to be re-added to managewp after because I kept getting a Failed message when the sites were reloaded in managewp. Is this common?

    1. Tom Ewer

      It’s not something I’m familiar with Susan. I’d take it up with the support team directly if you’re concerned about it. Thanks!

      1. Susan

        Since this isn’t a task that I expect to perform often and I was able to get both sites re connected, I’m not too concerned at this point. I was just a little curious why this might have happened.

  13. Mark

    So you’re telling me I should use the same password for all my users accros al my websites?

    1. Tom Ewer

      Hi Mark,

      Not necessarily — that’s up to you.

      If you use a truly unique and strong password then one across all your sites isn’t necessarily a security risk (consider this: if you had just one site with a really strong password, would you still be worried?).

      Having said that, you can still create unique passwords for all your sites with ManageWP far quicker than you could otherwise.



      1. wpguide

        Agreed that one password across all your sites isn’t as big a deal as some people make it out to be (esp. if all your sites are on the same host). Once they’re in, they’re in. Just make sure that the password is difficult to crack.

  14. Taneya

    Your blog post fails to mention that this is a feature that is not available for those subscribed to your Standard plan. thx.

    1. Tom Ewer

      That’s a good point Taneya; thanks for bringing it to my attention. I’ve clarified that fact in the post now :-)

  15. Dynasites

    After one of my sites was hacked, I began using LastPass’s feature of “Generate Secure Passcode” but I would use it as my username and then run it again for a passcode. I also use Better WP Security Plugin and lock out users after the third unsuccessful login attempt. I am still amazed how many lockout email reports I get in a week. But each one is a hacker that must move on.
    I would be interested in anyones comments or ideas on security if your on a shared server. Am I still at risk if some other users WordPress site isn’t secure?

    1. Tom Ewer

      Hi there,

      That’s some serious security you’ve got going on there — great job!

      As for the shared server security issues, it’s a good question (and one that I don’t know the answer to I’m afraid!).



  16. Dallas Bankruptcy

    There are many good security-related WP plugins available. Some are pay versions but many are free. They deal with stuff like rewriting htaccess, randomized sql entries, etc.

    Of course, that’s for later …after you’ve taken this first basic (and mostly overlooked) step.

  17. Clay

    Another reason I love this solution. A quality of life improvement if you make your living with WordPress.

    1. Tom Ewer

      Love that phrase Clay: “A quality of life improvement.” Thank you for your support! :-)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>