Block WordPress Login Brute Force Attacks with PowerWAF

OWASP A07:2021

WordPress Login: The #1 Brute Force Target

Every WordPress site exposes wp-login.php to the internet — a universal authentication endpoint that attackers know exists on over 40% of all websites. Automated bots run 24/7, cycling through stolen credential lists, common passwords, and dictionary attacks. A single unprotected WordPress login can receive tens of thousands of brute force attempts per day, consuming server resources, risking account compromise, and filling your logs with noise.

90,000+ Daily brute force attempts on an average unprotected WordPress site

WordPress security plugins try to handle this inside PHP — but by then, your server is already processing every malicious request. PowerWAF blocks brute force traffic at the edge, before it touches your server, without installing any plugin or changing your WordPress code.

OWASP A07:2021 CWE-307 CWE-521

How Brute Force Attacks Target WordPress

Attackers use multiple vectors to break into WordPress authentication — from direct login floods to API abuse.

🔐

wp-login.php Attacks

Direct POST requests to wp-login.php with automated credential lists, testing thousands of username/password combinations per hour.

POST /wp-login.php
log=admin&pwd=password123&wp-submit=Log+In

📡

xmlrpc.php Multicall

The XML-RPC system.multicall method lets attackers test hundreds of passwords in a single HTTP request, bypassing simple rate limits.

<methodCall>
  <methodName>system.multicall</methodName>
  <params>[500 auth attempts]</params>
</methodCall>

🚪

wp-admin Probing

Bots probe /wp-admin/ to confirm WordPress is installed, then redirect brute force attacks to the login page with persistent sessions.

GET /wp-admin/ → 302 /wp-login.php?redirect_to=%2Fwp-admin%2F

🌐

REST API Auth Abuse

Attackers enumerate valid usernames via /wp-json/wp/v2/users and then launch targeted brute force attacks against confirmed accounts.

GET /wp-json/wp/v2/users
→ [{"slug":"admin"},{"slug":"editor"}]

🤖

Distributed Botnets

Large botnets spread login attempts across thousands of IPs, sending only a few requests per IP to evade simple rate-limiting rules.

IP 1: admin/pass1
IP 2: admin/pass2
...
IP 5000: admin/pass5000

How PowerWAF Stops WordPress Brute Force

Edge-level protection that blocks login attacks before they consume your server resources. No plugins. No PHP overhead.

⏱️

Rate Limiting on /wp-login.php

Intelligent rate limiting on POST requests to wp-login.php blocks rapid-fire login attempts while allowing legitimate administrators to log in normally.

Stops automated credential spraying

🚫

xmlrpc.php Blocking

Block or restrict xmlrpc.php entirely, or selectively filter system.multicall requests to prevent mass credential testing through a single HTTP request.

Eliminates the XML-RPC brute force vector

🤖

Bot Detection

Advanced bot fingerprinting identifies automated login tools, headless browsers, and scripted attacks — blocking them before the first password guess.

Detects automated attack tools

📊

IP Reputation

Real-time threat intelligence feeds identify known brute force sources, compromised hosts, and botnet IPs — blocking them on the first request.

Blocks known malicious IPs instantly

🌍

Geo-Blocking

Restrict access to wp-login.php and wp-admin by country or region. If your admins are in two countries, block login access from everywhere else.

Reduces attack surface by geography

Protected in Minutes, Not Months

No plugins to install. No PHP files to edit. No server reconfiguration.

Point DNS

Change your DNS records to route traffic through PowerWAF. No WordPress plugin or server changes needed.

→

Instant Protection

PowerWAF immediately starts blocking brute force attempts on wp-login.php, xmlrpc.php, and wp-admin.

→

Monitor Everything

Real-time dashboard shows blocked login attempts, attacker IPs, targeted usernames, and attack trends.

Works with any WordPress hosting: shared, VPS, dedicated, managed WordPress, or cloud providers.

See PowerWAF in Action

Real-time view of brute force attacks on WordPress login being detected and blocked at the edge.

powerwaf-access-log — live

14:22:01 BLOCKED 198.51.100.87 POST /wp-login.php (user: admin) → Brute force — rate limit exceeded

14:22:01 BLOCKED 198.51.100.87 POST /wp-login.php (user: administrator) → Brute force — rate limit exceeded

14:22:02 BLOCKED 198.51.100.23 POST /xmlrpc.php (system.multicall x200) → XML-RPC multicall brute force

14:22:03 BLOCKED 203.0.113.42 POST /wp-login.php (user: admin) → Known malicious IP

14:22:04 ALLOWED 203.0.113.50 POST /wp-login.php (user: sarah) → Legitimate admin login

14:22:05 BLOCKED 203.0.113.71 POST /wp-login.php (user: test) → Bot fingerprint detected

14:22:06 BLOCKED 198.51.100.55 POST /wp-login.php (user: user1) → Brute force — credential stuffing pattern

14:22:07 BLOCKED 203.0.113.99 POST /wp-login.php (user: wordpress) → Brute force — common username list

14:22:08 ALLOWED 198.51.100.12 GET /wp-admin/ → Authenticated admin session

14:22:09 BLOCKED 198.51.100.87 POST /wp-login.php (user: info) → Brute force — rate limit exceeded

Simulated log showing how PowerWAF blocks brute force login attempts while allowing legitimate WordPress admin access.

Proven Protection at Scale

< 5 min Average setup time — DNS change only

0 plugins No WordPress plugins to install or maintain

24/7 Real-time brute force monitoring and blocking

Real-World Scenarios

WordPress Blog Under Attack

A popular WordPress blog receives over 50,000 brute force login attempts daily, slowing the server and triggering resource limit warnings from the hosting provider. PowerWAF blocks all automated login attempts at the edge, reducing server load by 40% and eliminating brute force noise from access logs.

WooCommerce Store

A WooCommerce store with customer accounts faces credential stuffing attacks using passwords leaked from other breaches. PowerWAF detects the stuffing pattern, blocks the attack, and protects both admin and customer login endpoints without affecting the checkout experience.

WordPress Multi-site Network

A university runs 200+ WordPress sites on a multi-site network. Each site has its own wp-login.php under attack. PowerWAF provides centralized brute force protection across every site in the network from a single dashboard, without installing plugins on each individual site.

Works with any WordPress setup

WordPress.org

WooCommerce

Elementor

WPForms

Yoast SEO

Contact Form 7

Gutenberg

ACF Pro

WP Multisite

Any Plugin

Frequently Asked Questions

Why is wp-login.php the most attacked WordPress endpoint?

wp-login.php is the default authentication endpoint for every WordPress installation. Because WordPress powers over 40% of all websites, attackers know this endpoint exists on millions of sites. Automated bots continuously scan the internet for WordPress installations and launch brute force attacks against wp-login.php using lists of common usernames and passwords. Unlike other endpoints, wp-login.php cannot be removed without breaking WordPress authentication.

How does PowerWAF stop WordPress brute force attacks?

PowerWAF sits in front of your WordPress site as a reverse proxy and applies intelligent rate limiting to authentication endpoints like wp-login.php and xmlrpc.php. It tracks login attempt frequency per IP address, detects credential stuffing patterns, and blocks malicious IPs using real-time threat intelligence. Legitimate users can still log in normally while automated attacks are blocked at the edge before reaching your server.

Does PowerWAF block xmlrpc.php brute force attacks?

Yes. The XML-RPC interface (xmlrpc.php) is a major brute force vector because it allows attackers to test hundreds of username/password combinations in a single request using the system.multicall method. PowerWAF can block or restrict access to xmlrpc.php entirely, or apply intelligent filtering to allow legitimate XML-RPC usage while blocking brute force multicall attempts.

Will PowerWAF block legitimate admin logins?

No. PowerWAF uses intelligent rate limiting that distinguishes between normal login behavior and brute force patterns. A legitimate administrator logging in a few times per day will never be blocked. Only automated attacks that send dozens or hundreds of login attempts per minute are flagged and blocked. You can also whitelist specific IP addresses for unrestricted admin access.

Do I need to install a WordPress plugin for brute force protection?

No. PowerWAF operates as an external reverse proxy — you simply change your DNS records to route traffic through PowerWAF. Unlike WordPress security plugins like Wordfence or Limit Login Attempts that run inside PHP and consume server resources during an attack, PowerWAF blocks brute force traffic at the edge before it reaches your server. No plugin installation, no PHP overhead, no database queries for every login attempt.

Can PowerWAF protect against distributed brute force attacks?

Yes. Distributed brute force attacks use thousands of different IP addresses to avoid per-IP rate limits. PowerWAF detects distributed attacks by analyzing login attempt patterns across its entire network, using IP reputation databases, bot fingerprinting, and behavioral analysis. Even if each IP only sends a few requests, PowerWAF identifies and blocks the coordinated attack.

How quickly does PowerWAF start blocking brute force attacks?

Immediately. As soon as you point your DNS to PowerWAF, brute force protection is active. Known malicious IPs are blocked from the first request using real-time threat intelligence. Rate limiting rules for wp-login.php and xmlrpc.php are enabled by default. There is no learning period or warm-up time — your WordPress login is protected from the moment traffic starts flowing through PowerWAF.

Explore More WAF Protection

PowerWAF covers the full OWASP Top 10. Explore protection for other attack categories.

Protect Your WordPress Login Today

No credit card required. No plugins to install. Set up in under 5 minutes.

Start with a Free Plan See Prices

Limited free plan spots available