Title: Under Attack Help Last modified: September 9, 2025 --- # Under Attack Help * Resolved [pasqualerose](https://wordpress.org/support/users/pasqualerose/) * (@pasqualerose) * [9 months ago](https://wordpress.org/support/topic/under-attack-help/) * Is Wordfence supposed to help against brute force attacks? If so, how can I send it to stop brute force bot attacks? When I got Wordfence number of years ago, I thought it was supposed to prevent against these attacks. But more than once now, my web host has had to shut down my site due to brute force attacks. They recommended I get Cloudflare. I went ahead and got Cloudflare in addition to Wordfence. I’ve come under attack again, and my web host said I need to go into my Cloudflare, and put my sight in under attack mode. This is annoying because it forces people visiting my site to verify they are human before getting to my website. Obviously, this turns people away. In addition to doing that, when I post a link on social media, the social media site no longer post a featured image or the headlines on the page. * How can I use Wordfence to prevent brute force attacks by bots or anything else? Thank you, * Pat M. - This topic was modified 9 months ago by [pasqualerose](https://wordpress.org/support/users/pasqualerose/). Reason: I thought I misspelled something * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Funder-attack-help%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [9 months ago](https://wordpress.org/support/topic/under-attack-help/#post-18636634) * Hi [@pasqualerose](https://wordpress.org/support/users/pasqualerose/), * Wordfence as an endpoint firewall cannot prevent requests being made to your site in the first place, but rather deal with them appropriately once they arrive based on our firewall’s decision making in conjunction with your settings. In“ Extended Protection” Wordfence will run immediately after PHP starts, but before the WordPress content and other plugins load. This is to prevent too much content being served to IPs that need to be blocked. * If you’re receiving true DDoS, or at the very least a huge increase in attempted page views that affects performance, protection at the server’s end such as Cloudflare( as one example you mention) _should_ be the most effective solution. Wordfence is designed for defense in depth by giving you a layered approach to security with its range of features. That is to say other protection on your server is a perfectly reasonable strategy for any security-conscious administrator. * You can read more about our [Brute Force](https://www.wordfence.com/help/firewall/brute-force/) and [Rate Limiting](https://www.wordfence.com/help/firewall/rate-limiting/) settings in our help documentation. I generally set my Rate Limiting rules to these values to start with: [Rate Limiting Screenshot](https://www.wordfence.com/wp-content/uploads/2021/09/ratelimitingpreferred.png) - If anyone’s requests exceed – 240 per minute - If a crawler’s page views exceed – 120 per minute - If a crawler’s pages not found (404s) exceed – 60 per minute - If a human’s page views exceed – 120 per minute - If a human’s pages not found (404s) exceed – 60 per minute - How long is an IP address blocked when it breaks a rule – 30 minutes * I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so. * With Brute Force settings, I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30 minute (or longer) lockout time period. * Remember there is no hard and fast, one-size-fits-all set of rules for every site. This is just a good place to start. During an attack you may want to make those rules stricter. If you see visitors, like search engine crawlers getting blocked too often, you might want to loosen them up a little. * Many thanks, Peter. * Thread Starter [pasqualerose](https://wordpress.org/support/users/pasqualerose/) * (@pasqualerose) * [9 months ago](https://wordpress.org/support/topic/under-attack-help/#post-18636709) * Thank you! I watched the videos and I did go in and change my settings. Hopefully that will allow me to loosen up things with Cloudflare some so that each visitor to the site doesn’t get a message asking them to verify they are human. This way say, visitors won’t be confused or annoyed by this. * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [9 months ago](https://wordpress.org/support/topic/under-attack-help/#post-18637744) * No worries [@pasqualerose](https://wordpress.org/support/users/pasqualerose/), glad we could help! If you have any Wordfence questions in the future by all means start up a new topic here any time. * Peter. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Under Attack Help’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [bots](https://wordpress.org/support/topic-tag/bots/) * [brute force attacks](https://wordpress.org/support/topic-tag/brute-force-attacks/) * [under attack](https://wordpress.org/support/topic-tag/under-attack/) * 3 replies * 2 participants * Last reply from: [wfpeter](https://wordpress.org/support/users/wfpeter/) * Last activity: [9 months ago](https://wordpress.org/support/topic/under-attack-help/#post-18637744) * Status: resolved