One of the most common approaches that hackers use to gain unauthorized access to WordPress® sites is a brute force attack to attempt to guess the admin credentials. Brute force attacks are simple in concept: try different usernames and passwords in quick succession until one of them succeeds in gaining access to a site.
Brute force attacks rely on the ability to try many different combinations of credentials until one of them works. Therefore, limiting the number of login attempts on a site is an effective way to slow down, or even stop, these kinds of attacks.
Limit Login Attempts
This plugin works exactly as its name suggests: after reaching a specified limit on login retries, Limit Login Attempts blocks an Internet address from making additional login attempts. It informs the user about the number of remaining retries or the lockout time on the login page.
Want a record of the IP address and time for every failed login attempt? Then Login LockDown’s your guy. This plugin disables the login function if it detects more than a specified number of attempts from the same IP range within a short time frame. It currently defaults to a one-hour login lockout after three failed attempts within five minutes, but allows administrators to manually release locked-out IP ranges.
Both of these plugins have been downloaded hundreds of thousands of times are staples of securing WordPress sites against this type of intrusion. Make sure you’re using one of them.