Skip to content
Read For Learn
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP

wp-admin folder, brute force, and password protection

Protecting only wp-admin won’t help a lot, at least it won’t protect your from brute-force attacks.

A brute force attack is a trial-and-error method used to obtain
information such as a user password or personal identification number
(PIN). In a brute force attack, automated software is used to generate
a large number of consecutive guesses as to the value of the desired
data.

So in other words – attacker tries to guess the password by trying to log in with different credentials.

Why protecting wp-admin won’t protect you? Because brute-force attacks are not directed at wp-admin. There are two methods used to perform brute-force attacks on WordPress:

  1. Send credentials to wp-login.php and check the response.
  2. Send some authenticated request to xmlrpc.php and check if authentication error occured.

So if you want to protect yourself from brute-force attacks, you should protect these 2 files. This way attacker won’t be able to guess the credentials.

Of course protecting wp-admin is also a good idea – this way even if someone breaks the password, he still won’t get to wp-admin area.

Although you have to remember that second layer (Basic Auth?) is just one of methods you can use to protect yourself from brute-force. You can also implement login throttling or temporary lockout.

Related Posts:

  1. Is there any way to rename or hide wp-login.php?
  2. Increase of failed login attempts, brute force attacks? [closed]
  3. How to fake a WordPress login?
  4. Brute force attack?
  5. Receiving “This content cannot be displayed in a frame” error on login page
  6. Websites defaced by uploading script using theme editor
  7. Make wordpress admin failed login attempt return 401
  8. WordPress login urls
  9. Store brute-force IP addresses
  10. How to create a private login page for admin.?
  11. WordPress Security – How to block alternative WordPress access
  12. Protecting WordPress login page
  13. Sniffing wordpress user’s credentials
  14. disable site_url redirect in wp-login.php
  15. Does WordPress (or a plugin) reveal login credentials to admin?
  16. Is wp_login_form secure on a non secure page?
  17. WordPress login security
  18. Why isn’t the login page rate limited by default?
  19. How can I password protect a WordPress site without requiring users to log in?
  20. Input sanitation
  21. How to Prevent Brute Force Attack on WordPress
  22. Advice on redirect to lock site from unauthorized users
  23. Where is the php file, that does the checks for login information?
  24. Error on WordPress Login
  25. Access log “POST /wp-login.php HTTP/1.0” 400
  26. force login loophole
  27. I need to find which is the file that checks the DB for correct login (username, password)
  28. How to create separate login for authors/moderators/subscribers?
  29. How to invalidate `password reset key` after being used
  30. Site is not loading after relogin attempts on SSL
  31. Some crawlers/bots attempting to login with very good guesses. How?
  32. Hide wp-login.php but not the widget
  33. How login is possible, if I deny login page via nginx?
  34. How to prefill WordPress registration with social details
  35. Redirect user using the ‘wp_login_failed’ action hook if the error is ’empty_username’ or ’empty_password’
  36. wp_signon() does not authenticate user guidance needed
  37. Disable WordPress 3.6 idle logout / login modal window / session expiration
  38. Avoid to load default WP styles in login screen
  39. Integrate recaptcha and wp_signon – what is needed?
  40. Programmatically log in a wordpress user
  41. How to Block Access to Standard Login Flow and Comment Flow
  42. Change sign-on URLs for security purposes
  43. Can’t stop hacker trying to get admin access in WordPress blog after trying many ways [closed]
  44. Hook for fail and successful login actions
  45. How does WordPress track that a certain User is Logged-In
  46. Mobile users redirected to a different page on login unless linked to another post
  47. How can i add validation to this login form with out it redirecting to the wp-login.php page
  48. Custom login page always redirecting to wp-login.php
  49. Force users to register in order to view website [duplicate]
  50. auto login after registeration for wp-members plugin
  51. How do I replace “Username” in the WordPress login form?
  52. How can I do a URL redirection when an user uses wrong login details?
  53. Change login_message using title
  54. Changing WP login credential [closed]
  55. Index page and random posts needs a forced refresh in order to show new content
  56. How can I remove “Powered by WordPress” pop-up disclaimer in wp-login.php?
  57. User needs to login first before accessing website
  58. Redirecting after login?
  59. Changed the url into https and now can’t access site admin
  60. Can’t log in. WordPress says my account doesn’t exist [closed]
  61. How do I add Login fields and registration link to the header?
  62. How to make a user be able to register if such a login already exists?
  63. Can not login to wordpress site after resolving white screen of death
  64. add_action(‘init’) not work
  65. Password not resetting on wordpress?
  66. WordPress “wp-admin” redirecting to a user account login
  67. How to restrict access to a single for users I’ve authorized? [closed]
  68. I renamed my server from http to https and now I can’t login
  69. https to https problem – 404 and can’t login
  70. wordpress login without password just email address (NO 2 factor authentication with email)
  71. Check if specific user is online outside wp
  72. wp_login_url not working correctly
  73. Single sign on for multiple domains
  74. Is there an application I can use to protect documents?
  75. Bizarre wp_signon problem
  76. Login error ” There has been a critical error on this website”
  77. login with users info in a different database
  78. Will the same WordPress logins work after a site migration?
  79. Possible to create a login wall?
  80. All pages gives 404 except homepage and wp-login
  81. Check for $ _POST fields in a POST method form
  82. Styling WordPress login page – Can I change the markup on the login page?
  83. WP login admin name incorrect send to another page or site
  84. Cannot login to wp-admin as redirect set to page not yet published
  85. Users can not login into wordpress website
  86. Cannot login to WP after force recovery
  87. Updating usermeta from login redirect to billing address
  88. Login / Register for specific pages
  89. WordPress login issue . Permission Problem
  90. How can I have customers log in using ONLY customer number? No password
  91. Problem with footer and login
  92. Why WordPress not logout after I have close my browser?
  93. Remember me doesn’t work with www?
  94. Shared user database trick not working
  95. Login from Mobile Phone
  96. Can i login with only one account to different top leveled domain wordpress web sites?
  97. “user not registered” when trying to login and “There has been a critical error” message on site
  98. generate an array of user login date using update_user_meta();
  99. Cannot log into WordPress admin dashboard after new installation on AWS ec2
  100. Customize From and email address on password reset
Categories login Tags login, security
Check on which page specific result exist
Stop WordPress Visual Editor converting backticks into code blocks

Recommended Hostings

Cloudways: Realize Your Website's Potential With Flexible & Affordable Hosting. 24/7/365 Support, Managed Security, Automated Backups, and 24/7 Real-time Monitoring.

FastComet: Fast SSD Hosting, Free Migration, Hack-Free Security, 24/7 Super Fast Support, 45 Day Money Back Guarantee.

Recent Added Topics

  • Bug in translation system: load_theme_textdomain() returns true, files are available and accessible but the language defaults to english
  • Custom Elementor controls not appearing in the widget Advanced tab using injection hooks
  • Get the name of the template/*html file used
  • Trying to Add Paging to Single Post Page
  • Sharing media files between live and staging servers
  • How to display the description of a custom post type in the dashboard?
  • Critical error on image display
  • Copying WP data and files into new install?
  • How to determine the DirectAdmin WordPress backup date?
  • How to get list of ALL tables in the database?
© 2026 Read For Learn
  • Database
    • Oracle
    • SQL
  • algorithm
  • asp.net
  • assembly
  • binary
  • c#
  • Git
  • hex
  • HTML
  • iOS
  • language angnostic
  • math
  • matlab
  • Tips & Trick
  • Tools
  • windows
  • C
  • C++
  • Java
  • javascript
  • Python
  • R
  • Java Script
  • jQuery
  • PHP
  • WordPress