Limit Login Attempts in WordPress: Doing It The Easy Way

enquerer > Blog > Uncategorized > Limit Login Attempts in WordPress: Doing It The Easy Way
Limit Login Attempts in WordPress

WordPress is built as a secure platform to avoid security issues for all its users. However, it isn’t capable of making your website immune to illegal break-ins. These break-ins may be conducted by hackers – human or bots – attempting to break in through the login page with different combinations of usernames and passwords until any one of them works. All that you can do to stop them from accessing your site is to protect it with a limit login attempts plugin.

As per the settings in WordPress by default, there is no limit for attempting a login into a WordPress site. Anyway, most authentic WordPress users need only a few attempts before they land on the correct one. Thus, if the number of attempts can be limited to this short amount, illegal break-ins can be prevented effectively. This way, you can limit the tries from a particular IP address for a number of tries or a time period. Those IPs which go beyond the limit can be blocked temporarily or permanently for better safety.

Keeping all these in mind, let’s see how to seal our website against potential brute force attacks by minimizing the number of login attempts. We will also discuss some plugins which will serve the purpose.

A Brief on The Automated Brute-Force Attacks on WordPress Sites

Easily said, brute-force attacks are those which are triggered by human hackers or bots, thereby trying out different combinations of usernames and passwords hoping to break-in to your website one fine day. These brute-force attacks are the core reason for the majority of WordPress website compromises in recent times.

WordPress releases regular updates for the platform in order to ensure the security and safety of the websites and their data. Still, the number of brute-force attacks on the platform is going on increasing. This is just because of the unlimited login attempts the platform is providing.

All these login attempts aren’t triggered by a person sitting behind a system and desperately typing away usernames and passwords to finally land on the right combination. Instead, all these are written in an automatic script to create millions of combinations in seconds of time and run them on the website.

Why Limit Login Attempts in WordPress?

As said earlier, users can make infinite attempts for logging into a WordPress account. This is what is exploited by hackers to crack the websites by trying different combinations.

To deal with these brute-force attacks, one way is to hide the login page of your WordPress website. Without the login page, hackers will definitely struggle to get access to the WordPress admin. Although this is easily said, it isn’t much easy for everyone to implement this. Let’s look for the reasons.

Membership Sites: For membership sites, you’ll be having a bunch of co-users for whom the login page is crucial. Hiding it can seriously affect your user base.

E-commerce Platforms: Online stores allow users to create an account with them for easy shopping, promotions, and reward points. If they find it difficult to log in, there are chances for them to abandon shopping from your site.

Online Forums: Those who run online forums need compulsory log in for users. If forum login is hidden, there is no point running the forum itself.

Fortunately, we have hot plugins available to help us out with security. We have a bunch of trustworthy and secure WordPress plugins that allow users to limit login attempts to WordPress.

By limiting the number of login attempts, you can easily prevent hack attacks. Say, if you want to limit the login attempts to 5, then the login will be locked out after 5 wrong attempts. Your website will block the IP of the user for a period of time, based on your settings. You have the choice to set this time, may it be minutes, hours, or even longer.

Plugins to Limit the Automated Login Attempts on WordPress

1. Login LockDown Plugin

The Login LockDown plugin records the IP address and timestamp of all invalid login attempts into a WordPress admin dashboard. It disables the login function if more than a given number of attempts are made from the same IP range within a short span of time. This operation is very helpful in preventing brute-force password discovery.

The number of limited login attempts has to be defined first. After setting this, define a time period until which the user will not be able to log in again after the limit of unsuccessful attempts.

Also, define the lockout length of the time until which the IP should be blocked. Anyway, the plugin provides a default lockout length of 60 minutes, which you can change. With the plugin, you can also choose to lock out the invalid username attempts.

The plugin will allow users to keep trying different invalid usernames. Click on yes under lockout invalid usernames option to stop this. WordPress usually let users know if they enter an invalid username or password. The plugin lets you hide this with a mask login errors option. Before leaving the settings, always remember to click on the update button to save your changes.

2. Limit Login Attempts Reloaded Plugin

The Limit Login Attempts Reloaded plugin is a 100% free plugin available in the WordPress store. With a good number of installers, it is one of the very popular names in the domain. It is also very easy to use the plugin.

It also claims different configuration options including options to whitelist/blacklist IPs and usernames.

The plugin starts working as soon as it is installed and activated. The plugin has set four unsuccessful attempts by default for a user before it locks out the login. Anyway, you can modify these functionalities from the settings area of the plugin. From settings, navigate to Limit Login Attempts to navigate to the settings area.

The Statistics section in the plugin displays the amount of ‘lockouts’ occurred while the plugin is active. It will be empty at the start but will fill up when there are potential brute-force attacks.

Under Options,  you can change how the lockout system works. You can decide the number of guesses that can be made before the login is blocked, and also the period of time until which the user should stay locked out. When you scroll down, you can find the Whitelist/Blacklist sections where you can enter specific IPs and usernames.

Whitelisted members can try logging in as many times as they can, and those who are blacklisted will be permanently locked out. Blacklisting is always handy when you see continuous suspicious activity on your website from a specific user or IP. Here too, never forget to save the changes when you have finished configuring.

Should We Limit the Login Attempts on Your Website?

Brute force attacks are the second most important vulnerabilities occurring to a WordPress site, the first being plugin vulnerabilities. The only way to prevent brute force attacks is to prevent bots and hackers from breaking into the WordPress account, which can be effectively implemented through Limit Login plugins. While these plugins aren’t mandatory, they are a good security addition to your WordPress if you don’t mind adding another plugin and setting it up. It will always be an important solution to secure your website’s backend against malicious users and bots.

Have you got any questions about this article? Shoot them in the comments section below!

Have A Look At Our Top Rated WooCommerce Plugins ThemeHigh

Nabeel Aslam is a technical writer and content marketer for Flyingloop. He writes product marketing contents and blogs for WordPress and other web related services since he joined the team in 2018.

Leave a Comment