Bots try multiple username/password combinations to gain access to your wp-admin.
Admin Login Page Under Brute Force Attack
Key Points: Dozens or hundreds of login attempts hit your /wp-login.php daily, spamming the login form with random credentials.
Your server slows down. You see thousands of failed login attempts in logs. Bots are hammering your login screen — even if they don’t succeed, they’re using your resources.
🧨 Red Flags
- Repeated login attempts from random IPs
- Server logs flooded with POST requests to
/wp-login.php - Unusual spikes in CPU or memory
🛡️ Solutions
- Limit login attempts with a security plugin
- Change the login URL using plugins like WPS Hide Login
- Block offending IPs or countries via firewall
- Use a CAPTCHA or challenge mechanism on login
💡 Tip
Brute force is noisy — use it to your advantage by triggering automated lockdowns or alerts.