Limit login attempts on WordPress

Lock it down

One of the most common approaches that hackers use to gain unauthorized access to WordPress sites is a brute force attack to attempt to guess the admin credentials. Brute force attacks are simple in concept: try different usernames and passwords in quick succession until one of them succeeds in gaining access to a site.

Brute force attacks rely on the ability to try many different combinations of credentials until one of them works. Therefore, limiting the number of login attempts on a site is an effective way to slow down, or even stop, these kinds of attacks.

Two common plugins for limiting login attempts are the eponymous Limit Login Attempts plugin and Login Lockdown.

Note: GoDaddy Managed WordPress comes with Limit Login Attempts preinstalled.

Plugin Option 1: Limit Login Attempts

This Limit Login Attempts plugin works exactly as its name suggests: after reaching a specified limit on login retries, Limit Login Attempts blocks an Internet address from making additional login attempts. It informs the user about the number of remaining retries or the lockout time on the login page.

Limit Login Attempts Plugin Settings Screen

Plugin Option 2: Login Lockdown

Want a record of the IP address and time for every failed login attempt? Then the Login LockDown plugin is your guy. This plugin disables the login function if it detects more than a specified number of attempts from the same IP range within a short time frame. It currently defaults to a one-hour login lockout after three failed attempts within five minutes but allows administrators to manually release locked-out IP ranges.

Login Lockdown Plugin Options

Both of these plugins have been downloaded hundreds of thousands of times are staples of securing WordPress sites against this type of intrusion. They are great resources to help limit login attempts on WordPress, so make sure you’re using one of them.


Also published on Medium.

Image by: snamess via Compfight cc

Christopher Carfi
A veteran of both startups and the enterprise, Chris has a deep track record in developing customer community and evangelist programs for brands such as Adobe, H&R Block and Aruba Networks while holding executive positions at Ant’s Eye View and Edelman Digital, and he was co-founder and CEO at Cerado. He currently lives in the Bay Area with his family.