How and Why You Should Limit Login Attempts in Your WordPress

Michael Oldborn

How and Why You Should Limit Login Attempts in Your WordPress


As you might already know that there are sometimes malicious people who tend to do things to your websitea and they always will be. They can do any kind of cyber attack on your site and get you in trouble. From time to time, such hackers might plan to access your site by trying to guess your administrator password. WordPress defaultly allows users to try as many different passwords as they want. This is also known as brute force attack.

You can add an extra layer of security to your WordPress site. In this article, we’re going to explain how you can limit WordPress login attempts and why you should do that in details.

Why You Should Limit Login Access In WordPress?


As mentioned above, wordpress allows users to enter their passwords as much as they want, by default. Hackers also take advantage of this situation and try to access your site several times using different combinations of scripts. 

To avoid this situation, you need to limit unsuccessful login attempts for per user. For example, as you can see in the visual 1, the user temporarily locked after 3 failed attempts.

When the user reaches more than 3 unsuccessful attempts, your site temporarily blocks their IP, depending on the settings you have made. You can set the time to 5 minutes, 15 minutes, or 24 hours as you wish.

V 1

How To Limit Login Attempts In WordPress?

There is a quite simple way to limit login attempts in WordPress. All you have to do is download and install the Login LockDown plugin. After activeting this plugin, you can set it up as needed.

V 2

You may define after how many failed attempts the user should be locked out. You can also define the lockout period for IP range blocks. As you can see in the screenshot above, the lokout time is 60 minutes as default but you can adjust it if you need.

This plugin allows users to try different invalid user names. So, to turn this setting off check ” yes ” under Lockout Invalid Usernames and then makes sure you saved the changed you made.

As Ninetheme Team, Our Advices On This Topic

The most important layer of protection for your site is the passwords you built in WordPress. Always try use strong passwords for the login. Strong passwords are more difficult to be hacked. We can not say a website is completely safe, no matter is WordPress based or not. So make sure to make a backup of your site. You can do this by using the Backup plugin, which we recommend.

We also strongly recommend you to add a firewall against to any brute force attacks that we mentioned above. So, in this regard, Sucuri plugin will help you to do exactly what we suggest. You can download and use this plugin.

Please let us know your opinions or post your questions about about this topic. We’d love to hear your feedback if this post helps you out.

Why is WordPress Security Important

If you have any questions about this article or other topics, please click the button below. Your questions will be answered soon.

Quality And Fast Hosting

If you want an affordable, reliable and fast WordPress server, just go ahead and click on the button and get a package as needed.