How to Limit Login Attempts in WordPress
WordPress is one of the most popular platforms for making blogs and other kinds of websites. Now when millions of websites are powered by WordPress, hackers always try to find vulnerabilities in WordPress themes and plugins to hack WordPress-based websites. Some hackers also run brute force attacks on login pages to crack accounts. Most people use the default username admin for the blog. Even if someone changes the username, it is always visible in the author slug. So, hackers only need to guess the password. I wrote a detailed guide on how to protect WordPress from Brute Force Attacks. The most common way to block brute force attacks is ‘to limit login attempts.’ So, a hacker or hacking script can only try a limited number of times. After a certain number of failed attempts, the login page will be blocked. So, it will not easy to perform a Bruteforce attack. Although, it isn’t foolproof if there is a Bruteforce script running with different IPs in each attempt. But this method can discourage general attempts where a person is trying different password combinations to hack into the website.
The easiest way to add login attempt limitation is by installing the “Limit Login Attempts Reloaded” plugin. This plugin stops brute-force attacks on WordPress login pages long with XMLRPC, Woocommerce, and custom login pages. Once the plugin blocks someone after failed login attempts, it also sends an email notification.
Best Managed WordPress HostingWPEngine is the best and most secure managed hosting provider
Here is the snapshot of the Plugin’s settings page.
You can set the number of failed attempts a user can perform before being lockout. For example, 4 is set in the snapshot. You can also set the lockout time. So, after 4 failed attempts the IP will be blocked for the next 20 minutes. You can increase this time as per your need. Similarly, you can choose to receive an email about failed attempt. You can also whitelist or blacklist a set of IP addresses.
Another good WordPress security plugin is WordFence. WordFence is a nice WordPress plugin that scans the whole blog for malware and vulnerable plugins. If it finds something wrong that can affect your website’s security, it will notify you. It also protects the blog against Bruteforce attacks. The plugin also lets you set the number of login attempts. If you set failed login attempts to 3, it will block the IP address if someone enters the wrong password 3 times. Wordfence is also a good WordPress plugin to limit login attempts in WordPress.
I also recommend users start using Cloudflare. Even with the free service of Cloudflare, you get a good level of protection against automated scripts that try to perform Bruteforce. If you are comfortable with the paid services, try Sucuri. Sucuri is the best company offering website security services. It also has the best WordPress firewall that adds a DNS-level website firewall. So all the traffic goes through a proxy that filters bad traffic. Sucuri also helps you keep your blog safe from malware and virus attacks.
You can also add a captcha on the WordPress login page, It will also block automated scripts from submitting login forms without filling the captcha. There are several good captcha plugins for WordPress. I have already written an article on this. So, don’t forget to explore articles on this blog to find useful WordPress tutorials.
I also recommend users use a strong password. A strong password is always hard to guess and hard to crack using Brute force attacks. There are several good strong password generator tools to generate a random and hard to guess password. If you find it hard to remember hard passwords, start using a good password manager. But never compromise with the security.
Even if you have several things to keep your website safe, always take a regular backup of your website.
Leave a comment
Comment policy: We love comments and appreciate the time that readers spend to share ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.