How to Limit Login Attempts in WordPress?

In our earlier article, we have explained different ways to stop brute force attacks in WordPress site. Compared to all other options, limiting the login attempts of your WordPress login page is one of the most effective ways to protect your site. Most users think this is a difficult task and don’t do enough to enhance their website’s security. This is mainly due to the fact that it can be time-consuming, expensive, and downright difficult. But what if we tell you that you can limit login attempts in your WordPress site in less than 10 minutes using a plugin. Read on further to learn how you can do that.

Why to Limit Login Attempts in WordPress?

WordPress offers a simple login form which can be accessed by adding /wp-admin/ or /wp-login.php suffix to your website URL. Though you can change this URL using a plugin, it may create other problems since many WordPress plugins use the same login page for accessing the dashboard. Below are some types of plugins that may use your WordPress login page:

• Online store plugins like WooCommerce
• Content subscription plugin
• Membership plugins

It will not look professional to provide a custom URL or password to your paying customers. Therefore, the best option is to limit login attempts which will allow your customers to login to your site at the same time restricting automated bots.

In addition, blocking bots will save server bandwidth that can be utilized for serving real visitors to your site.

Limit Login Attempts Reloaded Plugin

Our solution to this problem comes in the shape of the Limit Login Attempts Reloaded Plugin. It is hands-down the best WordPress plugin for limiting login attempts and is quite easy to configure and implement.

• Open your WordPress admin portal and go to “Plugins > Add New” section.
• Just type “limit login” in the search box to find the list of relevant plugins.
• Find Limit Login Attempts Reloaded plugin in the search result, click on “Install”, and then click on “Activate” soon after, as shown in the screenshot below.

Plugin Dashboard

After installation and activation, you’ll find a new menu listed in your WordPress dashboard sidebar with the name as “Limit Login Attempts”. Click on that menu to enter the control panel of the plugin. Alternatively, you can also access the page from “Settings > Limit Login Attempts”, as shown in the screenshot below.

Upon entering the page, you will see the dashboard section of the plugin. Here you’ll be able to get a general overview of everything as well as monitor the following:

• View the total number of failed login attempts on your website in a graphically represented format in the form of a pie-chart and a bar graph.
• Upgrade to the premium version of the plugin. While the free version of the plugin is going to be more than adequate for most users, if you experience reduced website performance after installing the plugin, upgrading to premium should solve this issue as the plugin will start to absorb brute-force attacks in their cloud server as opposed to locally. You’ll also get 24-hour support, automatic backup of all data, and advanced throttling over other things.
• View interesting statistics such as failed login attempts by countries on daily basis.

Configure Plugin Settings

Click on the settings tab to make specific configurations and changes to the default login settings of WordPress. On this page, you’ll be able to make the following changes:

• Notify on Lockout: An email address you insert will be notified every time the website has been locked out due to multiple failed login attempts. By default, the plugin will notify via email after 3 lockouts, but you can change it to every lockout by entering “1” instead of 3 as shown below.

• Lockout settings: In this section, you can make the following security modifications:
  • Allowed Retries: This is the number of times you can attempt to log in to the website’s admin portal. The plugin’s default value here is 4 but 2 or 3 will be better from a security standpoint.
  • Minutes Lockout: This is the duration that the website’s admin portal will be inaccessible. The default value of 20 minutes is appropriate in our opinion, but you can make changes as per your preferences as well.

• Lockouts increase lockout time: This essentially refers to what will happen after multiple lockouts. For example, as per the default plugin settings, after 4 lockouts, the lockout duration will change to 24 hours from 20 minutes.
• Retries are reset: The value you enter will determine how long it will take before retries are reset and the user can attempt to log in again.
• Trusted IP Origins: If you have any specific origins that you trust then you can enter them here separated by commas. Like the plugin, we also recommend that you go with the default REMOTE_ADDR origin as other origins can be easily faked.

Once you’ve entered the specific settings for the plugin, don’t forget to click on “Save Settings” to activate your configuration.

Viewing Logs

Furthermore, from the logs tab, you will be able to view total lockouts so far as well as manually list IP or IP ranges that you want to block or safelist.

Watch the Plugin in Action

So now that we’ve configured the plugin, let’s see how it actually works. Log out of the WordPress admin portal and when you are in the login page, enter an invalid username and password to test out the plugin. As you can see the plugin clearly shows how many attempts you have before the site will lock your IP address. You will see a message like “3 attempts remaining” as we have configured to limit the login with 3 invalid attempts.

If you continue entering wrong username or password, you will encounter a lockout state as shown in the screenshot below. In this situation, you will not be able to submit another login request until the lockout duration expires, 20 minutes in this case. In fact, even if you submit the correct credentials, the plugin will not let you login during this lockout duration.

Final Words

We strongly recommend limit login attempts in your WordPress site especially if you are not using any registration features. You can monitor the statistic of failed logins to understand the origin of attacks. If required, you can increase the lockout duration or permanently block the IP addresses to increase the security. However, avoid using too many restrictions when you have paying customers login through the default WordPress login form.