Brute-force attacks are the #1 most common attack against WordPress sites. PowerSEC blocks them before they can guess your password.
How brute-force attacks work
A bot tries thousands of username + password combinations against /wp-login.php and /xmlrpc.php. Common patterns:
- Dictionary attacks — common words like "password123", "admin"
- Credential stuffing — leaked passwords from other breaches
- Targeted attacks — guessing your name, kids, pets, birthday
How PowerSEC blocks them
Layer 1: rate limiting per IP
After N failed attempts (default 5) from one IP within M minutes (default 15), the IP is blocked for L minutes (default 60). Configurable per site.
Layer 2: lockout per username
After N failed attempts against one username, that account is locked for L minutes regardless of source IP. Prevents distributed attacks.
Layer 3: hostile IP blacklist
Known attacker IPs (from PowerSEC's threat intel feed) are blocked at the firewall — they never reach /wp-login.php at all.
Layer 4: 2FA (Pro)
Even if an attacker guesses the password, they can't log in without the code from your phone.
Layer 5: CAPTCHA on suspicious requests
After N failures, subsequent login attempts require solving a CAPTCHA. Bots fail this; humans pass easily.
Configuration
WP admin → PowerSEC → Login Security:
- Failed attempts threshold — default 5
- Time window — default 15 minutes
- Lockout duration — default 60 minutes
- Notify on lockout — email when an IP is blocked
When you get locked out
If you accidentally lock yourself out:
- Wait for the lockout to expire (default 60 min)
- Or: log into PowerSEC Central → Sites → your site → "Unlock IP" action