Support » Fixing WordPress » brute force and wp-admin folder restriction

  • I don’t know how brute force attacks really work. I have limited access to the wp-admin folder with a password. My question is, how does the instance of two password protections defeat a brute force attack? Is it because the automated program won’t try the second time?


    • This topic was modified 1 year, 1 month ago by  jsbmac.
Viewing 6 replies - 1 through 6 (of 6 total)
  • A brute force attack is when they try to guess your paswword. So the most important is a strong password.
    See how strong your current password is at
    if you want to generate a strong password, use e.g.

    I get that part, and use a password manager and really strong passwords. I’m just trying to understand the advice of why adding the additional layer stops the BF attacks. It would seem that if the program guessed one password that it would just start working on the second one.

    In that case, it would seem that limiting login attempts would be a far better mitigation.

    Moderator Andrew Nevins


    WCLDN 2018 Contributor | Volunteer support

    The 2 factor authentication doesn’t prevent brute force attacks.

    Moderator Andrew Nevins


    WCLDN 2018 Contributor | Volunteer support

    Any solution implemented at the WordPress (software) level is a bad solution and this is not just regarding the security of your password. It’s the resources your server uses. Brute force attacks can strain your server and cost you money. You need to stop the attacks from using server resources at the _server_ level, otherwise it’ll be too late at the _software_ level.



    Andrew, thanks for your answer.

    OK, so to be clear, if there is a BF attack that is successful against wp-admin or wp-login, then it will also be successful against a password protected wp-admin folder? What if that password protection is from cPanel?

    What are the _server_ level protections? Like monitoring packets and closing down IP blocks?

    Thanks again!



    First, if you are using a non-obvious username (e.g. not ‘admin’) and a strong password, automated malicious login attacks are very unlikely to be successful. If you are using two strong passwords – and you keep them secret – I think you can almost rule out a successful attack of this kind. These are almost never BF attacks in the sense of guessing all possible passwords. Rather these are bots trying to get in using common admin user names – usually ‘admin’ – and lists of common passwords like Two factor authentication, obfuscating the login url, and/or using a captcha are other ways of thwarting these attacks.

    I am pretty sure what Andrew is pointing out is that while these attacks won’t succeed they won’t stop either and could become drain on your server resources. If the drain is not too noticeable many WP users just live with it. For what it’s worth, I use CloudFlare page rules to keep bad bots off my login page and admin area. (

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘brute force and wp-admin folder restriction’ is closed to new replies.