How to stop brute force and credential stuffing attacks on WordPress
The fastest way to lose a WordPress site is a cracked login. Bots try billions of stolen and guessed passwords against WordPress logins every year. Here is how brute force and credential stuffing work and how to shut them down.
A WordPress login is the front door to everything, your content, your customers’ data, your revenue, and it is under near-constant automated assault. Two attacks dominate: brute force, where bots systematically guess passwords, and credential stuffing, where they try username-and-password pairs stolen from breaches on other sites. Both are automated, both run at a scale that is hard to comprehend, billions of attempts across WordPress every year, and both have the same goal: crack a login, especially an administrator login, and own your site. The uncomfortable truth is that these attacks succeed constantly, not because they are sophisticated, but because so many sites rely on a single weak or reused password as their only defense. This guide explains how brute force and credential stuffing work against WordPress, why they are so effective, what a cracked login costs, and how to shut them down, including with the RankShield WordPress plugin. The honest framing: no defense makes a login impossible to crack, but the right layers make these automated attacks fail so reliably that attackers move on to easier targets.
What is the difference between brute force and credential stuffing?
Both attacks aim to crack a login by trying many passwords automatically, but they differ in where the guesses come from, and that difference shapes how you defend against each. Brute force is the more primitive of the two: a bot systematically tries passwords against a username, common passwords first, then dictionary words, then combinations, betting that the account uses something weak or guessable. Against a strong, unique password, pure brute force is slow and usually futile, but against the weak passwords still in wide use, it works, and it works at the speed of automation, thousands of guesses a minute.
Credential stuffing is smarter and, today, far more dangerous. Instead of guessing, the attacker starts with real username-and-password pairs stolen from breaches on other websites, billions of which are freely circulating, and tries them against your login. It works because of password reuse: a huge share of people use the same password across many sites, so a credential leaked from an unrelated breach is very likely to also unlock accounts elsewhere, including on your WordPress site. This is why credential stuffing is so effective, it is not guessing, it is trying passwords that are already known to be real, just from a different site. On WordPress specifically, both attacks target wp-login.php and the XML-RPC interface, which can be abused to test many credentials per request. The defenses overlap heavily, but the mental model matters: brute force is beaten mainly by password strength and attempt limits, while credential stuffing is beaten by strong authentication that makes a correct password insufficient on its own.
Why are brute force and credential stuffing so effective against WordPress?
They are effective for a combination of scale and human habit. On scale: these attacks are fully automated and cheap, so attackers run them continuously against every WordPress site they can reach, and the totals are almost incomprehensible, Wordfence recorded more than 55 billion password-attack attempts against WordPress in 2024 alone. At that volume, any login protected only by a weak or reused password will eventually be found. WordPress’s ~43% market share makes it the highest-value target for these reusable automated campaigns, so no site is too small or obscure to be hit; the bots do not know or care who you are.
On human habit: the attacks succeed because of how people actually use passwords. Verizon’s 2025 Data Breach Investigations Report found that 88% of basic web-application attacks involve stolen credentials, and that credential stuffing accounts for a median of around 19% of daily authentication traffic, meaning a large fraction of all login attempts across the web are attackers testing stolen passwords. The root cause is password reuse: because people reuse the same handful of passwords everywhere, one breach anywhere becomes a master key tried everywhere. This is precisely why the security industry, through the FIDO Alliance and major platforms, is pushing passkeys and phishing-resistant authentication to move beyond passwords entirely (FIDO Alliance). Until that transition is complete, a WordPress login defended by a password alone is defended by the weakest link in the entire internet’s password hygiene, which is why hardening the login is one of the highest-value security steps a WordPress owner can take.
What does a cracked WordPress login actually cost you?
The cost of a cracked login is the cost of losing the whole site, because that is what an administrator account is: total control. Once an attacker is in as admin, they can do anything you can, and the typical outcomes are severe. They can deface the site, inject malware that infects your visitors, plant SEO-spam that gets you blacklisted by Google and destroys your search rankings, steal customer and order data, install a persistent backdoor so they keep access even after you change the password, or conscript your site into attacking others. For an ecommerce or business site, any of these can mean lost revenue, lost customer trust, and a cleanup that is far more expensive and stressful than the prevention would have been.
The broader breach economics underline the stakes, the global average cost of a data breach reached $4.44 million in 2025 (IBM Cost of a Data Breach 2025), and while a small WordPress site’s incident costs a small fraction of that, the proportional damage to a small business can be existential. There is also a compounding cost: a compromised site is often used to attack others or to host further attacks, which can get your domain and IP blacklisted, damaging deliverability and reputation long after the immediate breach is cleaned up. The essential point is that the login is the highest-leverage target on your entire site, one weak or reused password stands between an automated bot and everything you have built, which is exactly why these high-volume, low-sophistication attacks are worth defending against seriously.
How do you stop brute force and credential stuffing on WordPress?
The good news is that these attacks, for all their volume, are beaten by a well-understood set of layers. Because they rely on unlimited automated attempts and on weak or reused passwords, defenses that remove those two conditions make the attacks fail reliably. Here is the layered approach.
- Limit login attempts: cap how many failed attempts an IP or account can make, so a bot cannot make unlimited guesses, this single measure defeats most pure brute force.
- Require strong authentication: two-factor authentication or passkeys mean a correct password alone is not enough, which defeats credential stuffing even when the stolen password is right, the single most powerful step.
- Protect or disable XML-RPC: this WordPress interface can be abused to test many credentials per request, so protecting or disabling it closes a favorite brute-force amplifier.
- Enforce strong, unique passwords: block weak and known-breached passwords for admin accounts so guessing and reuse both fail; use unique passwords per site.
- Detect and block attack patterns: identify the high-velocity, distributed signature of automated login attacks and challenge or block it, ideally before it finds a working credential, and get alerted when an attack spikes.
How does the RankShield WordPress plugin stop login attacks?
Login attacks are automated, high-volume, and pattern-driven, and detecting and stopping that automation is exactly what the RankShield WordPress plugin is built for. It watches login activity and recognizes the signatures of brute force and credential stuffing, the bursts of failed attempts, the distributed attacks spread across many IPs, the high-velocity testing of stolen credentials, and blocks or challenges them, ideally before an attack finds a working password. It reinforces the fundamentals rather than replacing them: it works alongside attempt limits, strong authentication, and XML-RPC protection as the detection layer that sees the attack coming and shuts it down, and because it connects the activity to the pattern behind it rather than judging each attempt alone, it can recognize a distributed campaign that per-IP limits would miss. It also produces a verifiable record of the attacks it saw and the actions it took, so you have real evidence of what hit your site and how it was handled.
The honest boundary is important, because login security is a magnet for overclaims. No defense makes a login impossible to crack, an attacker with a correct, reused password and no second factor can still get in, which is exactly why strong authentication matters, and no plugin makes a site “unhackable.” What layered defense does is make these automated attacks fail so reliably that they stop being worth an attacker’s effort against you, and it gives you fast, verifiable warning when an attack is underway. Anyone promising an uncrackable login or an unhackable WordPress is overselling; the realistic, valuable outcome is that brute force and credential stuffing, which hit every WordPress site billions of times a year, are reduced to a non-event on yours. Explore the plugin on the WordPress security plugin page, and the wider automated-threat picture in how to stop bot attacks on WordPress.
Could your WordPress login survive an attack?
Run this quick check to see whether your login would withstand the automated attacks that hit every WordPress site. It looks at whether bots can make unlimited attempts, whether a stolen password alone would get them in, and whether you would detect an attack in progress. The gaps it surfaces are how logins get cracked.
Questions, answered.
What is a brute force attack on WordPress?
A brute force attack is when a bot systematically guesses passwords against a WordPress login, trying common passwords, dictionary words, and combinations at automated speed to crack an account, especially an administrator account. It targets wp-login.php and the XML-RPC interface, and it succeeds against weak or common passwords because it can make thousands of attempts per minute. Against a strong, unique password with login-attempt limits in place, pure brute force is slow and usually fails, but the sheer volume, Wordfence recorded over 55 billion password-attack attempts across WordPress in 2024, means any login protected only by a weak password will eventually be found. Limiting attempts and enforcing strong passwords are the core defenses.
What is credential stuffing, and how is it different from brute force?
Credential stuffing is a more dangerous cousin of brute force. Instead of guessing, the attacker starts with real username-and-password pairs stolen from breaches on other websites, billions of which circulate freely, and tries them against your WordPress login. It works because of password reuse: since many people use the same password across sites, a credential leaked from an unrelated breach often unlocks accounts elsewhere too, including yours. So while brute force guesses, credential stuffing tries passwords already known to be real. That is why it is so effective, 88% of basic web-app attacks involve stolen credentials (Verizon 2025 DBIR), and why the key defense differs: brute force is beaten by password strength and attempt limits, but credential stuffing is beaten by strong authentication that makes a correct password insufficient alone.
How do I protect my WordPress login from these attacks?
Use layered defenses that remove the two things these attacks rely on, unlimited attempts and weak or reused passwords. Limit failed login attempts so bots cannot guess without end; require two-factor authentication or passkeys on admin accounts so a correct stolen password alone is not enough (this is the single most powerful step, since it defeats credential stuffing); protect or disable XML-RPC, which can be abused to test many credentials per request; enforce strong, unique passwords and block known-breached ones; and detect the high-velocity, distributed pattern of automated login attacks so they are challenged or blocked before finding a working credential. Together these make brute force and credential stuffing fail reliably, even at the enormous volumes they run at.
Should I disable XML-RPC on WordPress?
For most sites, protecting or disabling XML-RPC is a sensible hardening step, because it is a common vector for brute-force and credential-stuffing attacks: the interface can be abused to test many credentials in a single request, amplifying an attack. If you do not use features that depend on XML-RPC (some older apps, remote-publishing tools, and certain plugins do), disabling it removes an attack surface with no downside. If you do rely on it, protect it, restrict access and put it behind the same attempt limits and detection as your main login, rather than leaving it open. The general principle is to close or guard interfaces that let attackers test credentials at scale, and XML-RPC is a classic example. Check what your site actually needs before disabling.
How does the RankShield WordPress plugin stop login attacks?
It is the detection-and-response layer for automated login attacks. The plugin watches login activity and recognizes the signatures of brute force and credential stuffing, bursts of failed attempts, distributed attacks across many IPs, high-velocity testing of stolen credentials, and blocks or challenges them, ideally before an attack finds a working password. Because it connects the activity to the pattern behind it, it can catch a distributed campaign that simple per-IP limits would miss, and it produces a verifiable record of the attacks and the actions taken. It works alongside the fundamentals, attempt limits, strong authentication, XML-RPC protection, rather than replacing them. It does not make a login uncrackable or a site unhackable, no tool does; it makes these automated attacks fail reliably and warns you fast when one is underway.
Are passkeys better than passwords for WordPress security?
Yes, where you can use them, because passkeys are phishing-resistant and are not vulnerable to the reuse problem that makes credential stuffing work. A passkey is unique to each site and cannot be leaked in a breach the way a reusable password can, so an attacker who steals credentials from another site has nothing to stuff against a passkey-protected login. This is why the FIDO Alliance and major platforms are actively pushing passkeys as the replacement for passwords. In practice, WordPress sites are in a transition period, so the highest-value step today is enforcing two-factor authentication on admin accounts (which similarly defeats credential stuffing by requiring more than a password), while adopting passkeys as support matures. Either way, the goal is the same: make a stolen or guessed password insufficient on its own.
References
- Wordfence — 2024 Annual WordPress Security Report (55B+ password-attack attempts)
- Verizon — 2025 Data Breach Investigations Report (88% of basic web-app attacks use stolen credentials)
- FIDO Alliance — passkeys and phishing-resistant authentication
- IBM — Cost of a Data Breach 2025 ($4.44M global average)
- RankShield — WordPress security plugin
Make every AI action provable.
RankShield is the verifiable, quantum-safe AI security platform — protection you can check, not just trust.