How To Limit Login Attempts In WordPress? (Quick And Easy Plugin)

By default, your WordPress website allows for unlimited login attempts which malicious users and hackers can utilize to brute force their way inside your website. But such a potential calamity can be easily avoided if you limit the number of login attempts. And so, we have put together a quick tutorial to help you Limit Login Attempts in WordPress.

How To Limit Login Attempts in WordPress?

To limit login attempts on your WordPress websites, we are going to need the help of Limit Login Attempts Reloaded WordPress plugin since the CMS lacks any native solution.

With the plugin installed and activated in your WordPress websites, a new Limit Login Attempts option will show up under the Settings section of your WordPress dashboard. Open it and you will be greeted with a lot of useful options as shown in the image below.

Now, set a limit to the login attempts by inserting a number in the “allowed retries” field, and that’s it.

For the purpose of this tutorial, we have set it to 4. This means a user will have to enter 4 incorrect username & password combinations before they are locked out from the login page.

Now, by following the above steps you can easily limit login attempts in WordPress. However, if you are new to WordPress and require a more detailed guide including steps on installing the plugin itself, then we encourage you to check out our in-depth tutorial on the topic down below.

An In-Depth Guide On How To Limit Login Attempts in WordPress

Step 1: Installing The Plugin

Go to your WordPress Dashboard > Plugins > Add New, and search for Limit Login in the provided search area. As you can see, there are plenty of plugins to help you out, but we have picked Limit Login Attempts Reloaded for this tutorial.

Step 2: Plugin Settings

With the plugin installed and activated on your WordPress websites, again head back over to your site’s dashboard and hover over the Settings section in the WordPress sidebar. You should notice a new option called Limit Login Attempts.

Click on it to open all the associated settings and options.

Step 3: Limit Login Attempts

Now, as you can see from the image above, here you will get all the necessary options to limit the number of login attempts on your site.

As per the provided image, a user will be allowed a maximum of 4 tries to guess the correct username & password combination. If failed, they will be locked out for 20 minutes.

Of course, you can increase or decrease these numbers as you please. And don’t worry about getting locked out of your own site by forgetting your password. The plugin allows you to whitelist and blacklist certain IPs to save you from these troubles.

Whitelisted IPs (you can whitelist your IP as well) can still enjoy the luxury of unlimited login attempts whereas blacklisted IPs won’t be allowed to log in at all. At the top, there is also a dedicated section which lets you see the total number of lockouts.

Other Plugins For Security and Limiting Login Attempts

• WP Limit Login Attempts – this plugin is simple to install and activate. It will limit the rate of login attempts and block that IP temporarily while detecting bots by captcha verification. Features:
  • Login Security – Limit Login Attempts and track user login attempts
  • Captcha Verification
  • Light weight plugin
  • Mechanism for slow down brute force attack
  • Redirect to home page, when abnormal request (It will stop hacking tools)
  • GDPR compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed).
  • Free they do take donations however so if you like feel free to drop them anything even a buck
• Limit Login Attempts Reloaded – another great plugin that limites login attempts through your normal login and through authorized cookies. Features listed on their site more then I thought:
  • Limit the number of retry attempts when logging in (per each IP). This is fully customizable.
  • Limit the number of attempts to log in using authorization cookies in the same way.
  • Informs the user about the remaining retries or lockout time on the login page.
  • Optional logging and optional email notification.
  • It is possible to whitelist/blacklist IPs and Usernames.
  • Sucuri Website Firewall compatibility.
  • XMLRPC gateway protection.
  • Woocommerce login page protection.
  • Multi-site compatibility with extra MU settings.
  • GDPR compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed).
  • Custom IP origins support (Cloudflare, Sucuri, etc.)
• WPS Limit Login – this is our last plugin on the list. Same thing limits login attempts and cookies. Features listed:
  • Limit the number of retry attempts when logging in (per each IP). This is fully customizable.
  • Limit the number of attempts to log in using authorization cookies in the same way.
  • Informs the user about the remaining retries or lockout time on the login page.
  • Optional logging and optional email notification.
  • Handles server behind the reverse proxy.
  • It is possible to whitelist/blacklist IPs.
  • Sucuri Website Firewall compatibility.
  • XMLRPC gateway protection.
  • Woocommerce login page protection.
  • Multi-site compatibility with extra MU settings.

COST: All of these plugins are free as they are opensource software.

Conclusion

This is obviously a non issue when first starting your website, but if you do it in the beginning these plugins are just set and forget. Then your main focus can be on what is important and that is content.

WordPress unfortunately allows unlimited attempts for logins this can be a very scary thing when you are attacked by a hacker or bot and can bring your site down instantly due to what is called a Brute Force Attack as they try different passwords.

So with this piece of software that is FREE you can limit login attempts and then shut that user that is trying to log off temporarily from the website at which point they are likely to move on. This in turn keeps your site safe and gives you a simple extra layer of security.

This is honestly a no brainer to throw something like this on your WordPress site so you don’t lose your info and get hijacked. This has happened to us numerous times in the past when you could just build a site and let it sit there earning passive income.

Sure enough we would login in months down the road and find we had been hijacked. Now a days you are likely to login at a higher frequency since most sites needed to be updated from time to time.