Category: jetpack.com

It’s no surprise that WordPress powers 43% of the web. Since it’s open source, people from around the world are constantly contributing to improvements. Plus, because of its huge library of free and premium plugins, it’s pretty simple for someone with limited development knowledge to build a fairly complex site. 

But, like with anything, WordPress site owners need to be constantly vigilant of cyber criminals who seek to take advantage of security gaps. And one of the biggest threats is malware.

That’s why learning how to remove malware from WordPress sites is so important. When you can identify when your WordPress site is infected, you can act quickly to clean it and prevent it from happening again in the future.  

In this post, we’ll discuss the importance of detecting and removing malware on your WordPress site. Then we’ll walk you through how to do so — with and without a plugin. We’ll provide tips for protecting your site against malware in the future and then wrap up with some Frequently Asked Questions (FAQs). 

The importance of malware detection and removal

Malware is a piece of software designed to harm or damage a computer system. It can come in the form of a virus, worm, Trojan horse, or spyware. Despite some strong security measures, WordPress sites are vulnerable to malware attacks.

There are many different ways that malware can get onto your WordPress site. The most common method is through malicious plugins or themes. Other ways include vulnerabilities in the core WordPress software or other software on your server.

Once the malware has infected a WordPress site, the person behind the attack can do a lot of damage — delete files, inject spammy links into your content, and even steal sensitive information like passwords and credit card numbers. Not only can this attack lead to unnecessary downtime, it can also hurt your reputation and lead to loss of business.

Without some sort of malware scanning tool, you may not immediately notice when your site has been infected. And the longer malware goes undetected, the more damage it can do. This is where the best WordPress security plugins come into play. They can detect and eliminate threats before serious damage occurs. 

Identify threats with a free plugin

If you’re looking for a high-quality, free tool that monitors your site for you, Jetpack Protect is an excellent solution. It scans your site automatically for more than 28,700 vulnerabilities and provides recommendations for securing your WordPress site. 

There are no complicated settings or confusing terminology. You can just turn it on, then rest easy knowing that you’ll be alerted the second that malware or vulnerabilities are found.

This is a great option for small businesses and new websites that want to better secure their WordPress site. Keep in mind, however, that the sole focus of Jetpack Protect is malware and threat identification, not removal. Keep reading for ways to remove malware from your WordPress site.

How to conduct WordPress malware removal with a plugin 

The easiest and quickest way to detect and remove malware from WordPress sites is to use a plugin. Fortunately, there are a handful of options to choose from. 

We recommend Jetpack Scan, which automates the entire process of WordPress malware removal, saving you significant amounts of time and energy. Plus, it’s super easy to set up on your website. It can be purchased on its own, but works best as part of Jetpack’s wider WordPress Security plan that provides comprehensive coverage. Note that it takes the functionality included with Jetpack Protect one step further, with one-click malware fixes.

Step 1: Scan your WordPress site for malware

First, if you haven’t already, you’ll need to install the Jetpack plugin and purchase Jetpack Scan. Once the tool is activated, you can scan your WordPress site for malware.

To do so, navigate to Jetpack and click on the Scan button.

Jetpack will now scan your site for any known malware threats. This process will likely take just a couple of minutes. 

Step 2: Clean up detected malware (with 1 click)

Ideally, no malware is detected, and your scan returns a “No vulnerabilities found” result.

But if any malware is found, you’ll see a list of issues under Malware Threats Found. To remove the malware, simply click on the Remove threat button next to each one.

That’s all there is to it! The plugin will automatically clean malware from WordPress for you. Again, this process will take just a few minutes at most.

Step 3: Remove malware warnings from your WordPress site

If Google has detected malware on your website, it will likely display a warning to prevent visitors from trying to access it. This is a major problem because most potential visitors won’t proceed past this message.

So, once you’ve identified and cleaned malicious code from your site, the last step is to remove these warnings. If your site has been flagged, you can file a review request with Google. Then it’s just a matter of waiting for a response. 

It’s really important that you don’t miss this step. See our full guide on how to remove your WordPress site from Google’s blocklist. 

How to conduct WordPress malware removal without a plugin 

Although it’s usually faster (and easier), you don’t have to use a plugin to remove malware. There are some instances where a plugin may not be able to remove the threat, and in that case, it’s definitely a good idea to know the manual approach.

It’s important to note that this approach involves a number of steps and requires a decent amount of time. It’s almost always better to use a malware removal plugin, if you can.

Step 1: Put your WordPress site into maintenance mode

The first thing you’ll need to do is put your site into maintenance mode. This process hides your website content from visitors and shows a message telling them that your site will return soon. 

You can put your site into maintenance mode using a plugin like WP Maintenance Mode & Coming Soon.

This free tool lets you easily enable maintenance mode on your site in just a few clicks. After you install and activate it, you can navigate to Settings → WP Maintenance Mode.

Next, select Activated as the Status. When you’re done, click on the Save settings button at the bottom of the screen. Your site will now go into maintenance mode. 

Step 2: Create a full backup of your WordPress site and database 

Having a backup of your WordPress site is always a good idea. It can help you recover your site if something goes wrong or you accidentally delete something.

There are two aspects you’ll need to back up: your database and your files. The database is where your content, settings, and user information are stored. Your files are everything else, like your themes, plugins, and images.

The best way to do this is with a WordPress backup plugin like Jetpack Backup. Not only does it provide an easy way to download your files and database on demand, it also automatically backs up your site in real-time. So, in the future, every single one of your changes will be saved.

However, you can back up your WordPress site manually, using File Transfer Protocol (FTP) tools and phpMyAdmin. This method is just more technical and time-consuming.

Step 3: Identify all malware on your site

Once you’ve prepped your site, the next step is identifying any malware. This involves searching your database, files, and source code.

One way to do this is to use a malware scanner tool like Malwarebytes.

If you’re looking to identify malware manually, you’ll need to go through each of the key areas of your site to look for signs of infection. In your database, you can search for common syntaxes often used by cybercriminals (you can refer to Step 9 for some popular examples of malicious PHP).

If you’re scanning your source code for malware, there are two main types of attributes to look for: script and iframe. Lines that start with “script=>” or “iframe src=URL>” and contain suspicious URLs or file names are common red flags. 

Step 4: Replace all WordPress core files with a clean installation

If you have a corrupted WordPress installation, one of the best ways to clean your hacked site is to replace all of the core WordPress files with a fresh set. When doing this, you’ll only keep your original wp-config.php file and wp-content folder.

First, download a fresh copy of WordPress from WordPress.org.

Unzip the file, then delete the wp-config.php file and wp-content folder. These are the only two folders you should delete — everything else should be left intact. 

Next, you can use your File Manager or FTP client to upload the remaining files to your server. This step will overwrite your existing installation. Learn how to bulk upload files via FTP. 

Step 5: Remove any malicious code from the wp-config.php file

It’s also a smart idea to compare your wp-config.php file to the original offered by the WordPress Codex. This step will make it easier to identify and locate anything that has been added (like malicious code).

From the WordPress Codex, download a fresh copy of the wp-config.php file. Open the file as well as your existing wp-config.php file in a text editor to compare them. There are some legitimate reasons your file may be different from the original â€” especially when it comes to information about your database — but take the time to look for anything suspicious and remove it if necessary. When you’re done, save the cleaned-up file, then upload it to your server. 

Step 6: Re-install a clean version of your theme

Next, you’ll want to re-install a clean version of your WordPress theme. But if you’re using a child theme (a copy of your theme with the functions and styling of its parent, plus custom edits), you don’t want to lose all of your work. Therefore, you’ll need to reinstall a clean version of your theme while keeping your child theme intact.

From your WordPress dashboard, navigate to Appearance →Themes, then deactivate your parent theme. Next, go to your File Manager or FTP and delete your parent theme folder.

If you’re using a theme from the WordPress repository, head there, search for your theme, then download the latest version. If you’re using a premium theme, or a free option from elsewhere, you’ll need to download your theme files from that source. From your dashboard, navigate to Appearance →Themes, then select Add New → Upload Theme.

Select the zipped file you just downloaded. After uploading it, click on the Activate button. 

Now you can activate your child theme. Your site should now be running the latest version of the parent theme, with all your customizations from the child theme intact.

Step 7: Check for recently-modified code files and repair them

The next step is to look at any files that have been recently modified. To do this manually, you can connect to your site via FTP or File Manager, then sort your files based on the last modified date column:

Make a note of any files that have recently been changed. Then go through each of them to review the code for suspicious additions. These could include PHP functions such as str_rot13, gzuncompress, or eval.

Step 8: Clean hacked database tables

If your WordPress site has been infected with malware, there’s a chance that it created malicious content in your database tables. 

To clean your tables, log in to your phpMyAdmin dashboard — available through your hosting provider — then navigate to the database table that has been infected with malicious content to remove it. You can determine which tables have been affected using a scanner tool (like Jetpack) or by comparing the original files to your current ones.

Note that you should create a backup of your site first, and you can find the original files in previous backups. You can then look for commonly-used functions (see the next step), suspicious links, etc. If you locate any, you can manually delete that content.

Save your changes, then test your website to verify that it’s still working correctly. If you don’t want to modify your database tables manually, you can also use a tool like WP-Optimize.

While it’s not a malware removal plugin, it can clean and optimize your database. But, if you want to use a plugin to detect and clean WordPress malware, we recommend a dedicated solution like Jetpack Scan. 

Step 9: Identify and remove hidden backdoors

When hackers gain entry into your site, they’ll often leave behind a hidden ‘backdoor’ (a way to get back in). This entry area is usually embedded into files that are similarly named to your regular WordPress files, only placed in the wrong directory locations. 

To identify and remove hidden backdoors from your WordPress site, you’ll need to search popular files and folders, including wp-content/plugins, wp-content/uploads, and wp-content/themes. 

When checking these files, there are a variety of PHP functions to look for, including:

exec

system

assert

base64

str_rot13

gzuncompress

eval

stripslashes

preg_replace (with /e/)

Move_uploaded_file

These functions don’t inherently indicate malicious activity. But the manner and context in which they’re used can sometimes indicate and introduce risks. 

For example, malicious PHP usually:

• Is located immediately before or after valid code, so that it can run undetected.
• Contains long strings of random characters (letters and/or numbers).
• Was recently inserted into your code.
• Contains reinfectors (malware that duplicates if you delete it) like 444 permissions or fake plugin folders.

As with database tables, we recommend comparing your existing files to the originals to determine whether there’s a legitimate reason for the code to be there.

Note that editing WordPress files can break key functions of your site, so it’s best to only do this if you have experience working with them. Otherwise, we recommend using a plugin like Jetpack Scan or hiring a professional.

How to protect your WordPress site from future malware attacks 

Learning how to remove malware from WordPress sites is incredibly useful. But it’s better to know how to prevent malware from infecting your website in the first place. Let’s discuss some actions you can take!

1. Change your WordPress password and database credentials

One of the most important things you can do to prevent malware attacks on your WordPress site is to change your password and database credentials regularly. Doing this can make it much more difficult for hackers to access your site.

To change your password, log in to your WordPress dashboard and go to Users → Profile.

From here, you can scroll to the Account Management section and select Set New Password.

When you’re done, click on Update Profile at the bottom of the screen. Once you’ve changed your password, be sure to log out of all active sessions on your website. These include any devices or browsers you may have used to access your WordPress site.

You should also regularly change your WordPress database credentials. To do this, you’ll need to edit your wp-config.php file. This file is located in the root directory of your WordPress installation and can be accessed via FTP or File Manager. 

Once you’ve opened wp-config.php, look for the following lines:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'database_name_here' );
/** MySQL database username */
define( 'DB_USER', 'username_here' );
/** MySQL database password */
define( 'DB_PASSWORD', 'password_here' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

You’ll want to update the DB_NAME, DB_USER, and DB_PASSWORD values with new ones. Once you’ve done that, save and close the file.

For these values to work, you’ll also have to update them on your server so that they match. To do this, you can log in to your phpMyAdmin account and navigate to your database. Next, open the users table and select Edit.

You can update the credentials as necessary. When you’re done, click on the Go button.

2. Regularly update your WordPress site, themes, and plugins

Outdated software is one of the most common ways hackers gain access to WordPress sites. Therefore, another way to prevent malware attacks is to keep your website updated. This step helps ensure your site has the latest security features and patches.

To update WordPress core, log in to your dashboard and click on Updates. If there’s a new version of WordPress available, you’ll see a notice at the top of the screen.

You can click on the Update button to install the latest version.

Updating your plugins and themes is just as important as updating WordPress itself. Most plugin and theme developers release security updates regularly.

You can do this by logging in to your WordPress site and checking the Updates tab. You’ll see any available plugin or theme updates under the main WordPress version updates.

Then, select the Update Plugins or Update Themes button to install the latest versions. If you want to automate this process, you can also use the Jetpack’s Automatic Plugin Updates feature. It will automatically install new versions of WordPress, plugins, and themes as soon as they’re released.

You’ll need to install and activate the Jetpack plugin to enable this feature. Once you connect it to your WordPress.com account, you can navigate to Jetpack → Settings → Writing. 

Next, scroll to the Automated Updates section at the bottom of the page, then select which types of updates you want to enable: WordPress Core Updates, Plugin Updates, and/or Theme Updates.

When you’re done, remember to save your changes. You can also manage updates on your Activity Log page. You can select the Update All button to run them all at once. 

3. Install an automated malware scan plugin for WordPress

You should also regularly scan your WordPress site for malware using a plugin like Jetpack Scan. Jetpack Scan will review your site for known malware and send you an email if they find anything wrong.

Once you download and install the plugin on your site, you can access the malware scan tool by clicking on Jetpack → Backup & Scan in the WordPress dashboard. There, you can see the current status of your site, and run a new scan if you’d like.

4. Install an automated backup plugin for WordPress

To prevent malware attacks and practice good overall security for your WordPress site, we suggest installing an automated backup plugin like Jetpack Backup.

Jetpack Backup is the best WordPress backup plugin because it saves your website in real-time. If anything changes — a page is updated, a post is published, a product is purchased, etc. — the latest backup file will reflect that. Plus, it integrates seamlessly with Jetpack Scan.

So, if malware is found on your site, you’ll get a notification from Scan letting you know. Then, you can immediately restore a backup from right before the hack happened — even from your mobile device, if you’re on the go! — and skip all the complicated malware removal steps above.

WordPress malware removal FAQs

At this point, hopefully, you have a solid understanding of how WordPress malware detection and removal work. To ensure we covered the key areas, let’s wrap up with some FAQs!

What are the signs of a WordPress malware infection?

There are several signs that your WordPress site has been infected with malware. First, you may notice your site loading slowly or displaying error messages.

Second, you may see new users or files appearing on your site that you didn’t add. Finally, you may find that your website is on Google’s blocklist or is being blocked by visitors’ antivirus software.

If you see any of these signs, it’s important to take action immediately to clean up your WordPress site. Ignoring a malware infection can lead to severe consequences, including data loss and website downtime.

How does malware generally infect a WordPress site?

There are a few different ways that malware can infect a WordPress site. First, it can come in through a WordPress plugin or theme vulnerability.

It can also be uploaded by a hacker who gains access to your site through an insecure password or other method.

Can I remove malware from WordPress myself?

You always have the option of hiring an outside firm to remove malware from your site, but it usually gets pretty expensive. Instead, you can identify and remove malware from WordPress using a plugin like Jetpack. This is a fast, easy, and reputable solution. 

If you’re an experienced developer, yes, you can manually remove malware from WordPress. This is a tedious process that has the potential to cause major errors on your site. You should proceed with caution if you choose this option. 

Strengthen the security of your WordPress site

WordPress is a flexible and powerful CMS, but because it’s so popular, hackers will sometimes target sites that use it. One of the most significant risks facing WordPress websites is malware.

As we discussed in this post, there are multiple methods to detect and remove malware in WordPress. The easiest and fastest solution is to use a plugin like Jetpack. Alternatively, you can conduct malware removal manually. We also recommend regularly updating your WordPress software and creating backups to prevent issues in the future. 

Looking for a hands-off, trusted way to automatically monitor your site for malware and vulnerabilities? Try the free Jetpack Protect plugin. 

Do you want to take advantage of one-click malware removal and a library of additional security features? Get Jetpack Security today!

Brute force attacks happen when hackers try to access your site files by constantly trying new passwords. If they succeed, they could steal your private data, add malware, or even take down your website completely.

Fortunately, you can easily prevent these brute force attacks. By simply updating your login information or enabling two-factor authentication, you can make it harder for hackers to enter your website. Another effective method is to install a brute force protection plugin like Jetpack.

In this post, we’ll explain what brute force attacks are and how you can prevent them. Then, we’ll recommend the best plugins for brute force protection. 

An introduction to brute force attacks

Brute force attacks happen when hackers use trial and error to access your website. This usually involves guessing your login information using automated software. Essentially, hackers will try many different passwords and username combinations until they find yours.

Other forms of hacking usually exploit vulnerabilities on your WordPress website. For instance, hackers can access your data through out-of-date software, plugins, or themes. Even an old PHP version can leave your site vulnerable.

On the other hand, brute force attacks rely on weak login credentials. If you have a guessable password like “123456,” hackers can use automated software to enter your site.

Brute force attacks are more common than you might think. In fact, they’re becoming more of a threat than ever before. Towards the end of 2021, the rate of brute force attacks increased by 160 percent.

If your website suffers from a brute force attack, hackers can:

• Steal your private data
• Add malware to your site
• Decrease your credibility and/or search rankings
• Remove your content completely

Needless to say, you’ll want to protect your website against these dangers. Although the default WordPress settings don’t offer extra protection against brute force attacks, you can take some steps to prevent them from happening.

How to block brute force attacks on WordPress

Now that you know about brute force attacks, let’s discuss how to protect your WordPress website from them. 

Step 1: Update your username

Since brute force attacks involve guessing login information, you can secure your WordPress website by updating your credentials. First, you should consider choosing a unique username.

In older versions of WordPress, the default username was “admin.” Now, new account holders can choose their usernames when they first log in. But you might need to update your username if you have an older account.

To see what your current username is, open your WordPress dashboard. Then, navigate to Users → Profile. You’ll find your username under the Name section.

If you already have a unique username, skip to the next steps. If you see admin as your username, you’ll likely want to change it. Unfortunately, you won’t be able to directly edit your profile in the dashboard.

One of the simplest ways to change your WordPress username is to create a new user. Then, you can assign it a unique username and give it the same administrative privileges. The only downside of this method is that you’ll have to use a new email address.

First, go to Users → Add New. On this page, create a new username and enter your email address. Be sure to set the user role as Administrator.

If you want to use the same email address, you can simply add a plus sign with additional letters after the username. For instance, if your normal email address is “exampleemail@gmail.com”, you can use “exampleemail+wordpress@gmail.com.” WordPress will consider this a new email address, but it will use the same inbox.

Next, you’ll need to log out of WordPress and use the new username to log back in. Then, go to the All Users page and click delete underneath the admin user role.

During the deletion process, you’ll need to move its content to the new username. To do this, select Attribute all content to [new username]. This is a critical step — otherwise your content will be deleted.

Finally, click on Confirm Deletion. If you want to start using the same email address assigned to the admin username, you can update that now. 

If you want to change your existing username, you’ll need to do this through your WordPress database. Note that making changes to the database can be dangerous, so it’s best to do this if you already have experience in this area. To change your username, take the following steps:

1. Click on the phpMyAdmin tool in the cpanel of your hosting provider. The exact location can vary based on your host.
2. Click on your WordPress site’s database in the left-hand panel. This will open up your database tables.
3. Click on the wp_users table. The prefix “wp_” is set by default, but your host may have changed it to something else. For example, the table may be called “janb_users.” 
4. Find the username you want to change on the right side — in this case, “Admin” — and click Edit.
5. In the user_login field, type whatever new username you’d like to set.
6. Click the Go button.

Now, you can log in with the new username! 

Step 2: Use a strong password

Another way to protect your site against brute force attacks is to use a strong password. Since hackers use botnets (robot networks) to randomly guess passwords, it can help to have a one with a unique string of numbers and letters.

These are the characteristics of a strong password:

• It has between ten and 50 characters
• It uses uppercase and lowercase letters
• It uses numbers and special characters
• It’s unique from passwords used for other accounts or websites

To update your WordPress password, navigate to Users → Profile. Then, scroll down to Account Management.

Next, click on Set New Password. Once you do this, WordPress will automatically generate a strong password for you. This will be a complex credential that’s hard to guess.

You can use this password or create your own. As you type, WordPress will indicate how strong or weak your new password is.

To make sure your new password is secure and random, you can use a password generator. This tool can automatically create a password with uppercase and lowercase letters, as well as numbers and symbols.

After pasting your new password into the text box, scroll to the bottom of the page. Click on Update Profile to save your changes. For maximum protection against brute force attacks, consider changing your WordPress password every four months. 

Step 3: Add two-factor authentication

When you log in to your WordPress site with just a password, this is called single-step authentication. You can also implement two-step, or two-factor, authentication.

With two-step authentication, you’ll provide two forms of verification to log in to your site. You’ll still enter your password, but you must also confirm your identity on your phone or another device.

Jetpack makes it easy to add secure authentication to your website. First, install and activate Jetpack in WordPress. Then, in the Jetpack dashboard, click on Manage security settings.

Scroll to the bottom of the page and find the WordPress.com login section. Here, turn on Require accounts to use WordPress.com Two-Step Authentication.

Then, find the Two-Step Authentication page in the Security tab. You can choose to set up your two-factor authentication with an app or SMS.

If you choose the first option, you’ll need to download an app like Google Authenticator (iPhone | Android). WordPress will provide a QR code, which you can scan with the app and then enter the generated code.

When you click Set up using SMS, you’ll have to enter your phone number. Once you verify the code sent to your phone, you can start using two-factor authentication.

Now you can verify your identity every time you log in to WordPress! This setup can offer increased protection against brute force attacks.

Step 4: Install a brute force attack protection plugin

After taking some basic steps to protect your login page, you can also benefit from installing a brute force protection plugin. The right tool can automatically block brute force attacks before they impact your site.

As you’re trying to choose the best plugin for brute force protection, you should keep a few factors in mind. To protect your website, you’ll want to find a plugin that works behind the scenes to prevent and stop brute force attacks.

Here are some basic features you should look for in a brute force protection plugin:

• Limited login attempts
• Two-factor authentication
• A firewall
• IP address blocklisting

Additionally, many brute force protection plugins provide general security for your website. For example, Jetpack Security not only prevents brute force attacks but performs malware scans, creates automatic backups, and screens for spam.

Jetpack is also one of the easiest brute force protection plugins to configure. After installing and activating Jetpack, you can turn on Brute force protection in the dashboard.

With this one click, you can enable Jetpack to prevent brute force attacks!

The four best WordPress plugins for brute force attack protection

Installing a plugin can be the most effective way to prevent brute force attacks. Still, you might not know which option is right for your website. Although there are many brute force protection plugins, four stand out as the best! 

1. Jetpack

When you download Jetpack, you can access brute force attack protection and many other security features. Jetpack also offers performance and growth tools, so you can choose a plan that’s perfect for your needs. 

If brute force attack protection is all you need, the great news is that it’s completely free!

Key features of Jetpack’s brute force attack protection:

• One-click activation
• Allowed IPs
• The ability to see the number of blocked attacks
• Two-factor authentication

Pros:

• If you’re accidentally locked out of your login page due to Jetpack’s protection measures, you can send a special login link to your email address.
• Jetpack compares each new IP address to its global database of malicious addresses.
• With Jetpack, you can also access extended security measures, like downtime monitoring, site backups, and malware scans.

Cons:

• Jetpack requires you to connect to a WordPress.com account. 
• If your server is misconfigured, it may not return an IP address, which can disable the brute force protection feature.

Ease of use:

With Jetpack, you can implement brute force attack prevention in a single step. After installation, just visit the main Jetpack dashboard to turn on the feature. Then, you can simply allow Jetpack to do the work without any maintenance.

Pricing:

Any WordPress user can start using brute force protection for free with Jetpack. 

2. Sucuri

Sucuri is a tool specializing in website monitoring, protection, and performance. By implementing a Web Application Firewall (WAF), Sucuri can block brute force attacks on your website. 

Key features:

• Web Application Firewall (WAF)
• Limits login attempts
• Automated tools to block bots
• Allowlisting
• Two-factor authentication, CAPTCHA, and passcodes

Pros:

• Sucuri includes geo-blocking so that you can block all visitors from specific IP ranges. This feature can prevent brute force attacks from certain countries.
• Sucuri’s firewall sanitizes traffic before it even reaches your WordPress website.

Cons:

• The free version of Sucuri does not provide brute force prevention. To access a WAF, you’ll need to purchase a subscription. 
• Although Sucuri is an effective option for brute force attack prevention, it’s expensive. There are other free plugins with similar features.

Ease of use:

Compared to other plugins, Sucuri has a more complicated setup process. To start using Sucuri, you’ll need to purchase a plan and set up a firewall. This involves integrating your cPanel account and manually changing your DNS records.

Pricing:

With Sucuri, brute force protection requires a premium plan. This feature comes with all of its subscription options, which start at $199.99 per year.

3. Wordfence Security

Wordfence Security is a plugin that provides a firewall and security scanner all in one. This tool offers many forms of login security, including two-factor authentication, allowlisted IP addresses, and reCAPTCHA keys. 

Key features:

• Limits login attempts
• Records successful and failed login attempts
• Continually updated IP blocklist
• Manual blocking tools
• Two-factor authentication and reCAPTCHA 

Pros:

• Since it comes with a Web Application Firewall, Wordfence can identify and block malicious traffic on your site.
• If any administrative passwords are compromised, you can block any logins from that user.
• Wordfence performs scheduled security scans every three days when you’re using the free version.

Cons:

• For the free version of Wordfence, the generated data is delayed by 30 days. To receive real-time threat intelligence, you’ll have to upgrade to a paid plan.
• The free plugin also doesn’t let you manually schedule scanning.

Ease of use:

Wordfence provides a very simple setup process for first-time users. After installing and activating the free plugin, it will prompt you to enter an email address where Wordfence can send alerts. Then, you can add brute force protection by implementing a firewall and login security features.

Pricing:

Even the free version of Wordfence Security comes with built-in brute force protection for unlimited sites. If you need advanced support, you can purchase a premium plan. These start at $99 per year.

4. iThemes Security

iThemes Security ensures that you can start protecting your website from brute force attacks in under ten minutes. With this plugin, you can quickly customize your login page with two-factor authentication and password requirements. Plus, iThemes will automatically add your site to its Brute Force Protection Network.

Key features:

• Maximum login attempts for both hosts and users
• Local and network brute force protection
• Graphs of recent brute force attacks
• The ability to set password requirements for all users
• Two-factor authentication

Pros:

• One of the main benefits of iThemes Security is its Brute Force Protection Network. It records suspicious activity across one million different websites, identifying malicious IPs.
• You can set a maximum number of login attempts for your website, which can prevent automated login guessing.

Cons:

• If you want to add extra security features to your login page, like a reCAPTCHA field, you’ll need to purchase the premium plugin.
• The free plugin does not include real-time security reports.

Ease of use:

After installation, the iThemes plugin will take you through a step-by-step setup process. Here, you can enable both local and network brute force protection. You can also choose to add two-factor authentication for extra security.

Pricing:

iThemes Security is a free WordPress plugin. If you’d like to use the real-time security dashboard, you can purchase the premium version, starting at $80 per year.

Comparison of the top plugins that block brute force attacks

	Jetpack	Sucuri	Wordfence Security	iThemes Security
Limit login attempts	Yes	Yes	Yes	Yes
Two-factor authentication	Yes	Yes	Yes	Yes
Real-time reports	Yes	Yes	Yes, with premium extension	Yes, with premium extension
IP blocking	Yes	Yes	Yes	Yes
reCAPTCHA	Yes	Yes	Yes	Yes, with premium extension
Network brute force protection	Yes	No	No	Yes
Ease of use	One-step activation	Requires manually changing DNS records	Simple tabs for managing your firewall, scans, and login security	Setup wizard to configure login security and user groups
Price	Free	$199.99-$499.99 per year	Free-$950 per year	Free-$199 per year

Frequently asked questions (FAQs)

Now that you know all about brute force attacks and how to prevent them, let’s answer some questions!

How much does brute force protection cost in WordPress?

Brute force protection can be free if you download a brute force protection plugin like Jetpack. Other providers like Sucuri require a paid subscription.

How can I set up brute force attack protection in WordPress?

Setting up brute force protection will vary based on the provider you choose. Some options require you to configure a firewall, which can be complicated. Alternatively, Jetpack is a plugin that makes this process simple. After activation, you can turn on brute force protection with just one setting. 

What else can I do to secure my WordPress site?

There are many general security measures you can take to protect your website. First, consider performing consistent updates for the core software, themes, and plugins. You can also keep your data secure by backing up your website.

Another simple security measure is blocking spam. It’s also a good idea to delete unused plugins and monitor your site activity. Finally, make sure you regularly scan for malware and take immediate action if anything is found. 

Secure your website against brute force attacks

Without the right protection, your website can fall prey to brute force attacks. Fortunately, a brute force protection plugin is a simple addition to your site. With the right security measures, you can stop hackers from stealing your data.

To review, here’s how to implement brute force attack protection in WordPress:

1. Update your username.
2. Use a strong password.
3. Add two-factor authentication.
4. Install a brute force attack protection plugin like Jetpack.

After following these steps, you’ll be able to keep your information private and secure! Then, it’s just a matter of keeping your software up to date, backing up your files, and monitoring your website for spam and suspicious activity.