Limit login attempts on WordPress

SecurityCategory
2 min read
Christopher Carfi

One of the most common approaches that hackers use to gain unauthorized access to WordPress sites is a brute force attack to attempt to guess the admin credentials. Brute force attacks are simple in concept: try different usernames and passwords in quick succession until one of them succeeds in gaining access to a site.

Brute force attacks rely on the ability to try many different combinations of credentials until one of them works. Therefore, limiting the number of login attempts on a site is an effective way to slow down, or even stop, these kinds of attacks.

Two common plugins for limiting login attempts are the eponymous Limit Login Attempts plugin and Login Lockdown.

Note: GoDaddy Managed WordPress comes with Limit Login Attempts preinstalled.

Plugin Option 1: Limit Login Attempts

This Limit Login Attempts plugin works exactly as its name suggests: after reaching a specified limit on login retries, Limit Login Attempts blocks an Internet address from making additional login attempts. It informs the user about the number of remaining retries or the lockout time on the login page.

Limit Login Attempts Plugin Settings Screen

Plugin Option 2: Login Lockdown

Want a record of the IP address and time for every failed login attempt? Then the Login LockDown plugin is your guy. This plugin disables the login function if it detects more than a specified number of attempts from the same IP range within a short time frame. It currently defaults to a one-hour login lockout after three failed attempts within five minutes but allows administrators to manually release locked-out IP ranges.

Login Lockdown Plugin Options

Both of these plugins have been downloaded hundreds of thousands of times and are staples of securing WordPress sites against this type of intrusion. They are great resources to help limit login attempts on WordPress, so make sure you're using one of them.

Products Used