WordPress limit login attempts

While WordPress itself is a secure platform, this doesn’t make your site immune to break-ins. One of the most common attacks is human or bot hackers trying to force their way through your login page by trying various username and password combinations until something works. To keep them from succeeding, you can use a WordPress plugin to limit login attempts.

By restricting the number of attempts from a specific IP within a certain timeframe, you can block excessive access attempts, enhancing security.

This post will guide you on setting up this security feature with a free plugin, discussing its advantages and drawbacks. Let’s dive in!

Step 1: Install the “Limit Login Attempts Reloaded” plugin

For most users, a WordPress limit login attempts plugin is the best option to restrict login attempts. There are several quality options, but we recommend the free Limit Login Attempts Reloaded plugin because it’s:

  • It offers a free version.
  • Popular – active on over 2 million sites, according to WordPress.org.
  • Well-rated – 98%.
  • Easy to use.

To get started, install and activate the Limit Login Attempts Reloaded plugin on your WordPress site. If you’re not sure how to install a WordPress plugin, check out our guide here.

Once the plugin is activated, you can open it, and it will take you to the plugin’s dashboard. This is where you get a comprehensive overview, including the total number of failed login attempts from the past 24 hours and a settings panel.

Image of Limit Login Attempts Reloaded Dashboard

Step 2: Customize the plugin’s settings

First off, head over to the “Settings” area. It’s a good idea to begin by selecting the “GDPR Compliance” checkbox right at the top. This will display a security message on your WordPress admin login page, keeping things transparent. Also, consider activating the “Notify on lockout” feature. By doing this, you’ll be informed via email whenever someone tries and fails to log in too many times, with the threshold for “too many login attempts” being entirely up to you.

Image of Limit Login Attempts Reloaded Settings Page

Below this, the “Local App” section lets you fine-tune the rules around login attempts, including setting the number of attempts allowed before locking out, the duration a user is locked out following several failed attempts, and specifying the duration and increase of lockouts for persistent offenders.

If you’re not sure what the right setting should be, you can safely go with the default numbers there.

Image of the Local App Box and the Lockout setting options

There’s no need to adjust the data found in the “Trusted IP Origins” fields so go ahead and click on “Save Settings“. To test if the plugin works, simply go to your website’s login page and enter the wrong login info. A message will be displayed saying that incorrect login credentials have been entered, as well as how many attempts you have left. An email will also be sent to your email address letting you know about the failed attempts. Of course, you can always check the failed login attempts on your dashboard, too:

Image of the dashboard where the website owner can easily check the number of "Failed Login Attempts" from the last 24h

What are the benefits of limiting login attempts?

Not all security techniques are right for every website, and this one does have both potential advantages and drawbacks. Let’s look at the benefits of limiting login attempts:

  • It prevents humans and automated bots from being able to try hundreds (or thousands) of username/password combinations until they hit the right one.
  • A temporary lockout is often enough to deter an attack, as the hacker or bot will move on to the next likely target.
  • Most of your legitimate users will only need a single login attempt, or perhaps a few if they forget or mistype their credentials.

What about the drawbacks?

Implementing a plugin that limits login attempts is not without its challenges. Consider the following drawbacks:

  • Adding a plugin to your site. While this plugin is very lightweight, this can put off site owners who want to keep their plugin counts down (for security or performance reasons).
  • Of course, the drawback is that, every once in a while, a genuine user might struggle to log in and get themselves locked out.

Conclusion

In conclusion, even though it’s not strictly required, choosing to install a plugin to limit login attempts is a smart, proactive step to safeguard your WordPress site. It’s a small investment of your time that pays off by fortifying your site against brute force attacks – a favorite tactic among hackers targeting WordPress’s generous user base.

In a 2016 survey from Wordfence, brute force attacks were the second most popular known type of attack, which illustrates that limiting login attempts can indeed be a good idea to protect you from a real attack vector.

Do you have any questions about using a plugin like this? Ask us in the comments section below!

Yay! 🎉 You made it to the end of the article!

0 Comments
Inline Feedbacks
View all comments

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!