We pulled the security log on a Fair Lawn law firm’s WordPress site last March. In the previous 30 days, their /wp-admin login URL had been hit with 41,200 failed login attempts. From 1,840 unique IPs across 67 countries. The firm had no idea. The site was still loading, still ranking — but 41,200 password guesses away from being someone else’s problem.
The default WordPress login is the single most attacked endpoint on the internet that isn’t email. Here’s why, and the four hardening steps that take the target off your back. Whether you work with us or not.
Why /wp-admin is the #1 brute-force target
WordPress runs 43% of all websites — the login URL is identical across 800 million sites. A bot doesn’t need a vulnerability, just yourdomain.com/wp-admin and a password list. Try 10,000 sites with the same 50 passwords, you’ll crack 30-80. That’s a day’s work for one $8/month server. Compound across botnets and you get the 41,200 hits we saw on one small law firm in 30 days.
What the attack log actually shows
Here’s what the Fair Lawn firm’s log looked like over 30 days, sorted by what mattered:
- 41,200 total failed login attempts
- 1,840 unique attacking IPs
- 67 countries of origin — top 5 were Russia, China, Vietnam, Brazil, and India
- 0 successful logins from any of those IPs — but not because they failed, because the firm got lucky their password was 14 characters
- “admin” was the username guessed 31,800 times. “administrator” 4,200. The actual admin username on the site (the partner’s first initial + last name) was guessed exactly twice.
The bots weren’t smart — they were brute. They hammered “admin” 31,800 times against every WordPress site they could find. If your admin username is “admin” and your password is under 12 characters, you’re not 41,200 attempts from compromise. You’re 200 attempts away. Bots make 200 attempts in 90 seconds.
The 4 hardening steps
- Rename the login URL. Change
/wp-adminand/wp-login.phpto something only you know —/firm-portal-7q,/team-access, anything non-default. Plugins like WPS Hide Login do this in 60 seconds. Result on the Fair Lawn firm: failed login attempts dropped from 41,200/month to under 40/month. The bots can’t find the door. - Enable two-factor authentication. Even if a bot finds the URL and guesses the password, 2FA stops them cold without the second-factor code. Use an authenticator app (Google Authenticator, Authy), not SMS — SIM-swap attacks are real and Bergen County has been hit. Setup: 10 minutes. Cost: $0 with plugins like Wordfence Login Security or Two Factor.
- Rate-limit failed logins. After 5 failed attempts from one IP, block it for 24 hours. After 3 lockouts, ban permanently. Limit Login Attempts Reloaded does this free. The Fair Lawn firm’s log showed 1,840 unique IPs — meaning bots rotate addresses. Rate-limiting still cuts attack volume by 70-80% because most bots burn out fast.
- Country-block the worst offenders. If your customers are in New Jersey and your business doesn’t operate internationally, blocking traffic from the top 8-10 attack-origin countries removes 92% of brute-force load. Cloudflare does this free. Wordfence does it on the paid tier. Be careful: don’t block countries where actual customers travel — but if you’ve never had a visitor from Belarus, you don’t need them visiting your login page either.
What this stack actually costs
All four steps: $0 in software (free plugin tiers), 90 minutes of setup. Or $300 to have someone do it correctly the first time. Compare to average WordPress compromise cleanup: $1,200-$4,800 depending on malware depth, plus lost revenue if Google de-indexes you for serving spam. The math is not close.
How AJD handles this
Every WordPress site we build or take over gets all four hardening steps in the first 48 hours, plus a 30-day attack-log review so we know what we’re actually defending against. The standalone hardening pass — for sites we didn’t build — runs $400 flat and includes a written report of pre/post attack volume so you can see the difference. We don’t sell ongoing security retainers for sites that are configured right. If we set it up correctly once, you don’t need us tweaking it monthly.
Want us to pull your actual 30-day login attack log live on a call, and tell you whether your site is in the “lucky so far” bucket or the “already compromised, just doesn’t know it” bucket? No pitch. Whether you work with us or not. Book Free Discovery Call →
