Jump to content

How to block requests from IPs trying to brute force your WordPress

Recommended Posts

I've been experiencing a lot of attacks, mainly brute-force password attacks, at my WordPress site and I was looking for a solution to this problem. I have installed the plugins such as Sucuri and Wordfence that provide some protection but the problem of blocking those bad IPs remained.


Sites like blocklist.de provide lists of such blacklisted IPs but how to import those lists in WordPress and use them to block those IPs? I found an easy solution through an excellent free plugin called CIDRAM:




My solution to protect WordPress so far is to use Sucuri and CIDRAM. Those two work well so far and don't overload the server CPU. Eventually I would like to move away from WordPress since it's very problematic...

Edited by spandso
Link to comment
Share on other sites

Hi spandso,


I would recommend you to use the Wordpress plugin 'Loginiser'. By the use of this plugin you will be able to limit the number of login attempts to your website. 


Personally I would suggest you not to leave WordPress coz they power 33% of the internet afterall.



  • Like 1
Link to comment
Share on other sites

Thank you all for your responses!


@Krydos, @wolstech, @flazepe: Yes I agree WP is insecure and badly developed but unfortunately I have invested a lot of time and effort to build my site with that. I will move to something better like Joomla when I manage to do so.


@Byron: I used .htaccess to block several IPs and also tried to be creative (block specific user agent used by the bad IPs). Unfortunately the list of IPs is growing. I've found out those IP are blacklisted in services like blocklist.de. CIDRAM solve the problem of having to continously update .htaccess with new bad IPs.


@sohamb03: Thank you for your suggestion. I will give it a try. For the time being my config (Sucuri + CIDRAM) works fine.


My advise: If you have a WP site please try to secure it as much as possible by doing the following (please feel free to add to the list):

  • Change the default admin username from "admin" to something else.
  • Install and activate a security plugin such as Sucuri
  • Install the blocklist plugin CIDRAM
  • Avoid installing too many plugins or plugins that are not updated regularly.
Link to comment
Share on other sites

@sohamb03: Thank you for your suggestion. I will give it a try. For the time being my config (Sucuri + CIDRAM) works fine.

Yeah sure. Loginizer definitely works coz it has been protecting my website from bruteforce attacks over a year now.



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...