Brute Force Attacks – do the plugins actually work?

I’m working on a website for a client who is pretty afraid that her website will be “hacked”. Personally, I’ve worked with many WP sites over the past 15 years and never experienced anything that I would say could be hackers.

On her old website, build by someone else over at least 5 years ago, there are plguins like “Limit Login Attempts ” and “iThemes Security Pro\*\*”\*\* installed. From what I can see the LLA one says there were, for example, 928.446 attempts to login on September 12th alone???? And she regularly (weekly, if not daily) gets an email from iThemes security that they locked out some IP for the reason *”too many attempts to access a file that does not exist”.*

Honestly, if I would see these numbers on my own websites i’d be anxious about hackers too but like I said I’ve never experienced anything like this by simply following some security rules like using proper username/passwords, 2factor login, update regularly and delete all the stuff that’s not in use (themes + plugins).

**TLDR; I’m building an art-portfolio website for someone who’s afraid the site will be hacked. What are practices/plugins that** ***actually*** **work without inducing more anxiety with crazy high numbers.**

The new site is built with Bricks Builder and currently using these plugins:ACF, All In One WP Security, CookieYes, CPT UI, Email Address Encoder, Koko Analytics, Smush, LaPosta (newsletter), Translatepress, UpdraftPlus, Yoast Duplicate Post, Yoast SEO.

If there’s (better) alternatives to these and/or these are just a security hazard to begin with let me know!


EDIT: after writing this I noticed that the 928k login attempts are *WORLDWIDE* with this plugin apparently lol. Well that’s still anxiety inducing if you ask me. It said 3 failed attempts in the last 24h.

  1. There are automated processes that run 100% of the time and scan random websites for various flaws, and particularly known WP flaws.

    I usually don’t worry too much about the brute force attacks on WP sites, as it’s pretty easy to set up fail2ban (or other similar tools) at the system level. You want to deal with that on a level lower than PHP, if you want your server performances to be unaffected by these attacks.

    The main problem is with the surface your WP plugins offer to an attacker. Especially if you don’t update them often. There are new 0day exploits very often, and the more plugins you use the more you get exposed to this problem.

  2. Yes it’s common with wordpress hackers try to attack site with automated scripts using Linux Kali. It’s suggested to use wordfence and 2FA authenticator. Disable user registration and completely deny access to xmlrpc. Xmlrpc was used in older versions of wordpress to communicate with any custom API. It’s the xmlrpc and user registration that I have seen so many websites being hacked.

  3. Get setup in Cloudflare, and use their WAF rules to block problem countries, limit access to /wp-admin and block xmlrpx.php. And use Wordfence instead of AIO Security


This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer