Server hammered daily by brute-force attempts on /wp-login.
Brute-force on WordPress is constant background noise. Cloudflare WAF or a security plugin stops 95 percent before it reaches your server.
Try this first
- 1Front the site with Cloudflare (free tier is enough) and add a WAF rule: block all POST to /wp-login.php except from your office IP.
- 2No Cloudflare? Install Wordfence or Limit Login Attempts Reloaded. Both block IPs after X failed attempts.
- 3Don't rename /wp-login.php as a security move; that's security through obscurity and often breaks plugins. Throttle and monitor instead.
- 4Enable two-factor authentication for every admin. With 2FA, a stolen password is still useless.
- 5Disable XML-RPC if you don't use it. Many bots go in via system.multicall and bypass rate limits.
- 6Monitor login attempts weekly. A spike sometimes means a specific user is targeted; reset their password.
When to bring us in
Hit by coordinated attacks from many IPs at once (botnet)? A paid Cloudflare plan with Bot Management or a dedicated WAF (Sucuri) is sensible.
See also
- WordPress, plugins and theme have gone 6+ months without updatesOut-of-date WP is the number-one entry for malware. Don't just hit 'update all', back up first.
- Theme update broke the layout or threw a fatal errorThemes overwrite custom CSS on update unless you use a child theme.
- WordPress shows a blank screen after a plugin install or updateWSOD (white screen of death) is usually one crashing plugin. You isolate it.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.