While WordPress itself is a secure platform, this doesn’t make your site immune to break-ins. One of the most common attacks is human or bot hackers trying to force their way through your login page by trying various username and password combinations until something works. To keep them from succeeding, you can use a WordPress limit login attempts plugin.
By default, people can continuously try to log into your site, with no restrictions on attempts. However, most legitimate users won’t need more than a few tries (at most). Therefore, you can limit the number of login attempts made from a specific IP address in a set amount of time. Any user who goes over the limit can be temporarily or permanently locked out, as a safety precaution.
Step 1: Install the WordPress limit login attempts plugin
For most users, a WordPress limit login attempts plugin is the best option to restrict login attempts. There are several quality options, but we recommend the free Limit Login Attempts Reloaded plugin because it’s:
- 100% free.
- Popular – active on over 700,000 sites, according to WordPress.org.
- Well-rated – a 4.9-star rating (out of 5).
- Easy to use.
While the plugin is easy to use at a basic level (it starts working as soon as you activate it), it also boasts a variety of configuration options, including some handy extras (such as the ability to whitelist or blacklist both IPs and usernames).
To get started, install and activate the Limit Login Attempts Reloaded plugin at your WordPress site. If you’re not sure how to install a WordPress plugin, check out our guide here.
Step 2: Customize the plugin’s settings
As soon as you activate the plugin, it starts working right away. By default, users get four guesses before the plugin locks them out:
However, the plugin also provides a settings area where you can modify how this functionality works.
To access this area, go to Settings > Limit Login Attempts:
In the Statistics section, you can find details about how many ‘lockouts’ have occurred due to the plugin. This will be empty right now, but you can check back later to see how many potential brute force attempts the plugin has halted.
Then, under Options, you can customize how the lockout system works. This includes deciding how many guesses the plugin will allow, the length of time users will be locked out for, and more. You can even enable a GDPR-compliance setting, which will obfuscate all recorded IPs for privacy reasons.
Scrolling down a bit, you’ll also find sections labeled Whitelist and Blacklist:
Here, you can enter specific IPs and/or usernames. If you add a user to the whitelist, they’ll be able to log into your site as many times as they’d like, and won’t have to worry about getting locked out.
Adding someone to the blacklist, on the other hand, will permanently lock them out. The latter option is handy if you see a lot of suspicious activity coming from one or more specific IP addresses.
Don’t forget to save your changes to this page when you’re done configuring the settings. That’s all you need to do to limit login attempts in WordPress!
Should you limit login attempts on your website?
At this point, you know how to set up a WordPress limit login attempts plugin on your site. However, you may be wondering if this is a necessary step for all WordPress users.
Not all security techniques are right for every website, and this one does have both potential advantages and drawbacks. First, let’s look at the benefits of limiting login attempts:
- It prevents humans and automated bots from being able to try hundreds (or thousands) of username/password combinations, until they hit on the right one.
- A temporary lockout is often enough to deter an attack, as the hacker or bot will simply move on to the next likely target.
- Most of your legitimate users will only need a single login attempt, or perhaps a few if they forget or mistype their credentials.
In a 2016 survey from Wordfence, brute force attacks were the second most popular known type of attack, which illustrates that a limit login attempts plugin is indeed protecting you from a real attack vector.
On the other hand, the possible cons include:
- Adding a plugin to your site. While WordPress limit login attempts plugins are very lightweight, this can put off site owners who want to keep their plugin counts down (for security or performance reasons).
- Legitimate users who forget their passwords or make multiple login attempts for some other reason can still get locked out, which is an inconvenience.
The second drawback can be alleviated in a number of ways. You can make sure to display the number of login attempts remaining, for example, which will keep users from getting caught off guard:
You can also keep the lockout time relatively short. In addition, you can add trusted users to your whitelist, so they don’t need to worry about tripping the system.
Ultimately, while this isn’t a mandatory security feature, it’s a smart addition for nearly any site. As long as you don’t mind spending a few minutes setting up and configuring an extra plugin, you’ll be taking an important step towards keeping malicious users out of your site’s back end.
Brute force attacks are a common attack vector for hackers, and WordPress sites are often favored targets (thanks to the platform’s popularity). Fortunately, thwarting these attacks is relatively simple. All you need to do is prevent hackers and bots from being able to make lots of consecutive login attempts.
- Install a dedicated plugin, such as Limit Login Attempts Reloaded.
- Configure the plugin’s settings, and let it do its job.
Do you have any questions about using a WordPress limit login attempts plugin? Ask us in the comments section below!