How and Why you should Limit Login Attempts in your WordPress

From time to time hackers may try to break into your WordPress site by guessing your admin password. By default, WordPress allows users to try different passwords as many times as they want. This is also known as brute force attack. However, you can change this and add an extra layer of security to your WordPress site. In this article, we will show you how and why you should limit login attempts in your WordPress.

Limit login attempts in WordPress

Why you need to Limit Login Attempts in WordPress?

By default, WordPress allows users to enter passwords as many times as they want. Hackers may try to exploit this by using scripts that enter different combinations until your website cracks.

To prevent this, you can limit the number of failed login attempts per user.

For example, you can say after 5 failed attempts, lock the user out temporarily.

If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.

Locked out for too many login attempts

How to Limit Login Attempts in WordPress?

First thing you need to do is install and activate the Login LockDown plugin. Upon activation, you need to visit Settings » Login LockDown page to configure the plugin settings.

Login LockDown settings

First you need to define how many login attempts can be made. After that choose how long a user will be unable to retry if they exceed the failed attempts.

You can also define the lockout period for IP range blocks. The default value is 60 minutes, you can adjust that if you need.

The plugin will allow users to keep trying different invalid usernames. Click on yes under lockout invalid usernames option to stop this.

By default, WordPress lets users know that whether they entered an invalid username or invalid password on failed logins. You can hide this by clicking yes under mask login errors option.

Don’t forget to click on the update settings button to store your changes.

Pro Tip

The first layer of protection to your WordPress sites is your passwords. You should always use strong passwords on your WordPress site. We understand that strong passwords are difficult to remember. But see our beginner’s guide which shows the best way to manage passwords for WordPress users.

If you run a multi-author WordPress site, then see how you can force strong passwords on users in WordPress.

No website is 100% safe because hackers always find new ways to get around the system. That’s why it’s crucial that you keep complete backups of your WordPress site at all times. We recommend BackupBuddy plugin. Here’s a list of the best WordPress backup plugins.

If your website is a business, then we strongly recommend that you add a firewall which takes care of the brute-force attacks and so much more. We use Sucuri which guarantees our safety and if anything happens to our site, then their team is responsible to fix it at no-additional charge.

We hope you found this article useful, and you have successfully added login attempts limit to your WordPress site. You may also want to see our list of 13 vital tips and tools to protect your WordPress admin area.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

To leave a comment please visit How and Why you should Limit Login Attempts in your WordPress on WPBeginner.