How To Limit Login Attempts in WordPress (Easy Guide)

How To Limit Login Attempts in WordPress

Are you looking for a way to secure your website from brute force attacks by limiting login attempts?

WordPress websites, especially new off-the-shelf websites, are vulnerable to brute force attacks where hackers use automated scripts and long lists of usernames and passwords to crack website login. Since WordPress doesn't limit login attempts by default, unsecured websites often fall victim to these attacks. 

The good part is that there's a simple fix to this problem. By simply limiting the number of attempts users have for logging into your website, you can protect your website against brute force attacks.  

In this article, we’ll show you how to limit login attempts on a WordPress site using the LoginPress plugin's Limit Login Attempts add-on.

Table of Content

Why Should You Limit Login Attempts in WordPress?

Perhaps the worst thing about brute force attacks is that automated scripts carry out the attacks in almost all events. These programs can try out hundreds of usernames and passwords in an hour. As you can imagine, it is only a matter of time before these scripts guess the right credentials. 

Since WordPress doesn't limit login attempts, it is an easy target for hackers who opt for brute force attacks against your WordPress websites. 

That's where the LoginPress Limit Login Attempts add-on comes to the rescue. It allows you to set the number of attempts a user has before they are denied access to your website. As a result, brute force attacks fail because the scripts no longer have unlimited login attempts. 

Now that you know the theory behind how the LoginPress Limit Login Attempts add-on works, it's time to see it in action. 

How to Limit Login Attempts on Your WordPress Site Using LoginPress

Limiting login attempts to protect your website against brute force attacks through LoginPress is pretty simple. We'll now describe setting up the Limit Login Attempts add-on. 

This add-on blocks IP or username from making further attempts after reaching a specified login limit. This way, it makes a brute force attack impossible.

Important Note: The following steps assume that you already have LoginPress installed and activated on your WordPress website. For more information, you can check our article on How To Install And Activate LoginPress.

Step 1: Download Limit Login Attempts add-on

The first thing you need to do is download the Limit Login Attempts add-on. In order to do this, you need to Log in to your WPBrigade account and navigate to the Downloads page.

Once you’re on the downloads page, look for the Limit Login Attempts add-on and click on the Download button.

For further ado, see the screenshot below:

Download Limit Login Attempts

Step 2: Install and Activate the Plugin

After you have downloaded the plugin, you need to install and activate it. You can do this by going to your WordPress Dashboard and navigating to the Plugins Page.

Once you’re on the plugins page, click on the Add New button and then upload the plugin file that you downloaded.

Upload plugin

After you have uploaded the plugin, click on the Install Now and Activate Plugin button.

Install Now Plugin

At this point, the add-on is ready for action.

Step 3: Set Up Login Attempts  

Now that the plugin is activated, you need to navigate LoginPress > Settings. On the settings page, you’ll see the Limit Login Attempts tab. Click on the tab and then you’ll be able to configure the plugin.

Limit Login Attempts Tab

There are 3 major settings that you need to configure:

  1. Attempts Allowed: This is the number of login attempts that a user is allowed before they are locked out. While you can set any number, we suggest 3 or 5 tries to discourage brute force attacks.
  2. Minutes Lockout: In this field, you need to enter the number of minutes a user won’t be able to access website login after they’ve exhausted this limit. Usually, this number is set to 30 minutes to deter automated login scripts.  
  3. IP Address: You can also lock an IP address if it tries to log in too many times. Just enter the IP address in this field and it will be locked out. 

Once you have configured the settings, click on the Save Changes button.

That’s all! You have successfully limited login attempts at your WordPress website. 

See the Attempts Report for Details

In addition to setting the number of attempts and the lockout duration, the Limit Login Attempts add-on offers an excellent reporting feature that gives all essential details of the users who have tried to log into your website.

You can view the details and decide if you wish to "unlock" the user or blacklist them. 

See the Attempts Report for Details

When you whitelist an IP, you’re essentially removing the login restrictions for the user. On the other hand, when you blacklist an IP, they'd no longer access your website's login page(s). 

To remove an IP from the whitelist or blacklist, go to the appropriate tab and hit Clear.

Final Thoughts

Limiting the number of login attempts for all users is a simple yet effective way of protecting your website against automated brute force attacks. While WordPress doesn't offer this functionality as a part of the core features, the LoginPress Limit Login Attempts add-on fills in the gap nicely. 

Since WordPress powers a good portion of the internet and is thus an easy target for cybercriminals, we strongly urge you to set up login attempts so that you can rest easy about brute force attacks. 

Let us know if you have trouble setting up the add-on, and we'll get back to you. Start using LoginPress to limit login attempts and protect your websites from brute force attacks. 

Frequently Ask Questions

Can I get locked out of my WordPress website?

Yes. If you try to log into your website using incorrect credentials, you'll be denied access after you exceed the login attempts limit.

What is Account Lockout duration?

Account lockout duration is the time interval during which your account remains locked. The website administrator sets this duration. You can retry logging into your account once the lockout period is over.

Does WordPress limit login attempts by default?

WordPress offers "unlimited" login attempts to all users. However, you need to use a plugin such as LoginPress to limit the number of login attempts available to the users.

That's all! You can also check out How to make LoginPress work with WordPress.com and LoginPress & Vanta,Js guide.

Not using LoginPress yet? What are you waiting for?

Leave a comment

Your email address will not be published. Required fields are marked *