How to Lock Invalid Usernames from BruteForce Attacks in WordPress

It is common that brute force attacks take place on WordPress login pages to guess username and passwords. Several plugins and htaccess codes are in place to thwart such illegal intrusion.

One such way to lock invalid usernames and prevent unauthorized users from guessing confidential usernames is using the Wordfence plugin.

WordPress is one of the most popular content management systems (CMS) in the world. However, its popularity also makes it a frequent target for hackers and malicious bots.

Brute force attacks, password guessing, and username discovery are common tactics employed to compromise WordPress sites.

One of the simplest ways to improve your website’s security is by locking invalid usernames.

Most of the time naive WordPress admin users use easy guessing usernames like “admin”, “www”, sitename etc. In addition, due to password leaks, some of the common usernames are leaked. In my practice I found that Wordfence blocks several such attempts and also gives the common usernames used for hacking.

It is one of the best security methods that can fix invalid username problems. In this guide we are going to see a free way to block brute force attacks and the right settings. In this comprehensive guide, we’ll explore practical solutions to secure your WordPress site against unauthorized login attempts.

How to Lock Invalid Usernames in WordPress [2025]

1. Install the free version of Wordfence login.
2. Wordfence > Firewall
3. Click on All Firewall Options on the right hand side.
4. Next screen opens.
5. Under Brute Force Protection, check the option for “Enable brute force protection” is turned on.
6. Immediately lock out invalid usernames is checked.
7. Immediately block the IP of users who try to sign in as these usernames text box is visible.
8. Enter the common usernames like admin, www etc, which are used by hackers.
9. Press Enter after each username.
10. In due time, if you see further attempts with any other invalid usernames, you can add them also.

Other Settings

1. Lock out after how many login failures – 4 to 6
2. Lock out after how many forgot password attempts – 4 to 6
3. Count failures over what time period – 12 hours to max
4. Amount of time a user is locked out – 2 months

Options for Locking Invalid Usernames

Enable Brute Force Protection

Brute force protection is a vital layer of security for WordPress sites. Attackers often use automated scripts to try thousands of username and password combinations. By enabling brute force protection, you can limit the number of login attempts allowed, effectively stopping such attacks before they succeed.

How to Enable Brute Force Protection:

• Install a security plugin like Wordfence or iThemes Security.
• Configure the plugin to monitor and limit repeated login attempts.
• Enable alerts for failed login attempts.

Lock Out After How Many Login Failures

Setting a threshold for failed login attempts can deter brute force attackers. For example, locking an account after three failed attempts ensures that unauthorized users can’t endlessly guess credentials.

Steps to Configure Lockouts:

• Go to your security plugin settings.
• Set the number of allowed login attempts (e.g., 3-5).
• Customize the lockout duration to suit your needs.

Lock Out After How Many Forgot Password Attempts

The “forgot password” feature is another target for abuse. Limiting how often a user can request a password reset helps prevent spam and malicious activity.

How to Set Limits on Password Resets:

• Navigate to your security plugin’s password settings.
• Restrict reset attempts to 2-3 within a specific timeframe.

Count Failures Over What Time Period

Defining a timeframe to track failed login attempts helps ensure accurate monitoring. For example, tracking attempts over a 15-minute or 1-hour period balances security and usability.

Amount of Time a User is Locked Out

After multiple failed login attempts, locking a user out temporarily can deter further attempts. Recommended durations are between 15 minutes to 24 hours, depending on your security needs.

Immediately Lock Out Invalid Usernames

Invalid usernames are a red flag. Any attempt to log in with non-existent usernames can indicate a malicious actor.

Implementation Tips:

• Use plugins like All In One WP Security to block users immediately after entering an invalid username.
• Configure custom error messages to avoid revealing whether a username exists.

Immediately Block the IP of Users Who Try Invalid Usernames

Blocking suspicious IP addresses adds an additional layer of defense. When an invalid username is detected, blocking the associated IP ensures the attacker cannot continue probing.

Steps:

• Enable IP blocking in your security plugin.
• Use tools like Cloudflare to manage and block IPs.

Prevent the Use of Passwords Leaked in Data Breaches

Many users unknowingly reuse passwords that have been leaked in data breaches. WordPress plugins like WP Password Policy Manager can help detect and prevent such vulnerabilities.

Key Actions:

• Enforce password resets for compromised accounts.
• Regularly audit user passwords using plugins.

Enforce Strong Passwords

Weak passwords are an open door for attackers. Enforcing strong password policies ensures all users create secure credentials.

Best Practices:

• Require passwords to include a mix of uppercase letters, numbers, and special characters.
• Use plugins like Password Policy Manager for WordPress.

Don’t Let WordPress Reveal Valid Users in Login Errors

Default WordPress login error messages can reveal whether a username exists. Customizing these messages reduces the information available to attackers.

How to Hide Login Errors:

• Add code to your theme’s functions.php file to display generic error messages.
• Use plugins like Loginizer for customization.

Prevent Users from Registering as ‘Admin’

The ‘admin’ username is a common target for brute force attacks. Preventing its use significantly reduces risk.

Steps to Block ‘Admin’:

• Remove any existing ‘admin’ user.
• Block the registration of ‘admin’ using security plugins.

Prevent Username Discovery via Scans and APIs

Attackers can use techniques like /?author=N scans, oEmbed API, REST API, and XML sitemaps to discover usernames.

Securing Against Scans:

• Disable author archives using plugins.
• Use code snippets to block username enumeration.
• Restrict API access to authorized users.

Disable WordPress Application Passwords

Application passwords can provide attackers with a backdoor. If not in use, disabling them enhances your security.

Steps:

• Add code to your theme’s functions.php to disable application passwords.
• Alternatively, use a security plugin for this purpose.

Block IPs Sending POST Requests with Blank User-Agent and Referer

Suspicious POST requests often lack a User-Agent or Referer header. Blocking such requests prevents bots and automated attacks.

How to Block Suspicious Requests:

• Configure your firewall to detect and block blank headers.
• Use plugins like Wordfence for detailed request filtering.

Custom Text Shown on Block Pages

Customizing block pages helps inform legitimate users while maintaining security.

Tips for Custom Messages:

• Use clear, non-technical language.
• Avoid revealing sensitive information.

Check Password Strength on Profile Update

Ensuring users update their passwords to strong ones is crucial for long-term security.

How to Enforce Strong Updates:

• Use plugins to check password strength during profile updates.
• Notify users with weak passwords to update them.

Participate in the Real-Time Wordfence Security Network

Joining a security network like Wordfence provides real-time updates on potential threats and attacks.

Benefits:

• Automatically blocks IPs involved in attacks.
• Shares intelligence across participating sites.

Why You Shouldn’t Change or Hide the Login URL

Many site owners believe changing the login URL improves security. However, this can complicate maintenance without offering significant benefits.

Better Alternatives:

• Use two-factor authentication.
• Focus on securing the default login page with strong passwords and brute force protection.

Locking a WordPress User Account to Prevent Login

Scaffold the Code

To implement user account locking, start by creating a basic scaffold. Add custom hooks and filters to integrate seamlessly with WordPress.

Add the Lock/Unlock Checkbox

Adding a lock/unlock checkbox in the admin panel makes it easy for administrators to manage user accounts.

Example Code:

function add_lock_checkbox($user) {
    $is_locked = get_user_meta($user->ID, 'account_locked', true);
    echo '<label><input type="checkbox" name="account_locked" ' . checked($is_locked, true, false) . '> Lock Account</label>';
}
add_action('edit_user_profile', 'add_lock_checkbox');

Add a Custom Column to the Admin Users Table

Displaying the lock status in the users table helps administrators identify locked accounts at a glance.

Steps:

• Modify the users table to include a “Lock Status” column.
• Use hooks like manage_users_columns and manage_users_custom_column.

Prevent Locked-Out Users from Logging In

Use WordPress filters to block login attempts for locked users.

Example Code:

function prevent_locked_users($user, $password) {
    $is_locked = get_user_meta($user->ID, 'account_locked', true);
    if ($is_locked) {
        return new WP_Error('account_locked', 'This account is locked.');
    }
    return $user;
}
add_filter('authenticate', 'prevent_locked_users', 30, 2);

Final Thoughts

In this way you can prevent suspicious IPs from trying to log into your WordPress panel. It has the benefit of two things. One it prevents attacks and other saves precious CPU resources getting wasted due to these hacks.

Securing your WordPress login page is crucial for maintaining the integrity of your site. By locking invalid usernames, blocking suspicious IPs, and enforcing strong passwords, you’re taking proactive steps to deter malicious activity.

Remember, consistent monitoring and updating your security settings are key to staying ahead of evolving threats. For more tips and tools, check out our recommended plugins and forums for WordPress security.

By implementing these measures, you’ll significantly enhance your WordPress site’s security. From limiting login attempts to locking invalid usernames and enforcing strong passwords, these strategies ensure your site is protected against common threats.

Your wordpress admin panel will become a lot quicker with less number of attacks.