How To Limit Login Attempts in WordPress (Easy Guide)

How To Limit Login Attempts in WordPress

Are you looking for a way to secure your website from brute force attacks by limiting login attempts?

WordPress websites, especially new off-the-shelf websites, are vulnerable to brute force attacks where hackers use automated scripts and long lists of usernames and passwords to crack website login. Since WordPress doesn't limit login attempts by default, unsecured websites often fall victim to these attacks. 

The good part is that there's a simple fix to this problem. By simply limiting the number of attempts users have for logging into your website, you can protect your website against brute force attacks.  

In this article, we’ll show you how to limit login attempts on a WordPress site using the LoginPress plugin's Limit Login Attempts add-on.

Table of Content

Why Should You Limit Login Attempts in WordPress?

Perhaps the worst thing about brute force attacks is that automated scripts carry out the attacks in almost all events. These programs can try out hundreds of usernames and passwords in an hour. As you can imagine, it is only a matter of time before these scripts guess the right credentials. 

Since WordPress doesn't limit login attempts, it is an easy target for hackers who opt for brute force attacks against your WordPress websites. 

That's where the LoginPress Limit Login Attempts add-on comes to the rescue. It allows you to set the number of attempts a user has before they are denied access to your website. As a result, brute force attacks fail because the scripts no longer have unlimited login attempts. 

Now that you know the theory behind how the LoginPress Limit Login Attempts add-on works, it's time to see it in action. 

How to Limit Login Attempts on Your WordPress Site Using LoginPress

Limiting login attempts to protect your website against brute force attacks through LoginPress is pretty simple. We'll now describe setting up the Limit Login Attempts add-on. 

This add-on blocks IP or username from making further attempts after reaching a specified login limit. This way, it makes a brute force attack impossible.

Important Note: The following steps assume that you already have LoginPress installed and activated on your WordPress website. For more information, you can check our article on How To Install And Activate LoginPress.

Step 1: Download Limit Login Attempts add-on

The first thing you need to do is download the Limit Login Attempts add-on. In order to do this, you need to Log in to your WPBrigade account and navigate to the Downloads page.

Once you’re on the downloads page, look for the Limit Login Attempts add-on and click on the Download button.

For further ado, see the screenshot below:

Download Limit Login Attempts

Step 2: Install and Activate the Plugin

After you have downloaded the plugin, you need to install and activate it. You can do this by going to your WordPress Dashboard and navigating to the Plugins Page.

Once you’re on the plugins page, click on the Add New button and then upload the plugin file that you downloaded.

Upload plugin

After you have uploaded the plugin, click on the Install Now and Activate Plugin button.

Install Now Plugin

At this point, the add-on is ready for action.

Step 3: Set Up Login Attempts  

Now that the plugin is activated, you need to navigate LoginPress > Settings. On the settings page, you’ll see the Limit Login Attempts tab. Click on the tab and then you’ll be able to configure the plugin.

Limit Login Attempts Tab

There are 3 major settings that you need to configure:

  1. Attempts Allowed: This is the number of login attempts that a user is allowed before they are locked out. While you can set any number, we suggest 3 or 5 tries to discourage brute force attacks.
  2. Minutes Lockout: In this field, you need to enter the number of minutes a user won’t be able to access website login after they’ve exhausted this limit. Usually, this number is set to 30 minutes to deter automated login scripts.  
  3. IP Address: You can also lock an IP address if it tries to log in too many times. Just enter the IP address in this field and it will be locked out. 

Once you have configured the settings, click on the Save Changes button.

That’s all! You have successfully limited login attempts at your WordPress website. 

See the Attempts Report for Details

In addition to setting the number of attempts and the lockout duration, the Limit Login Attempts add-on offers an excellent reporting feature that gives all essential details of the users who have tried to log into your website.

You can view the details and decide if you wish to "unlock" the user or blacklist them. 

See the Attempts Report for Details

When you whitelist an IP, you’re essentially removing the login restrictions for the user. On the other hand, when you blacklist an IP, they'd no longer access your website's login page(s). 

To remove an IP from the whitelist or blacklist, go to the appropriate tab and hit Clear.

Final Thoughts

Limiting the number of login attempts for all users is a simple yet effective way of protecting your website against automated brute force attacks. While WordPress doesn't offer this functionality as a part of the core features, the LoginPress Limit Login Attempts add-on fills in the gap nicely. 

Since WordPress powers a good portion of the internet and is thus an easy target for cybercriminals, we strongly urge you to set up login attempts so that you can rest easy about brute force attacks. 

Let us know if you have trouble setting up the add-on, and we'll get back to you. Start using LoginPress to limit login attempts and protect your websites from brute force attacks. 

Frequently Ask Questions

Can I get locked out of my WordPress website?

Yes. If you try to log into your website using incorrect credentials, you'll be denied access after you exceed the login attempts limit.

What is Account Lockout duration?

Account lockout duration is the time interval during which your account remains locked. The website administrator sets this duration. You can retry logging into your account once the lockout period is over.

Does WordPress limit login attempts by default?

WordPress offers "unlimited" login attempts to all users. However, you need to use a plugin such as LoginPress to limit the number of login attempts available to the users.

That's all! You can also check out How to make LoginPress work with WordPress.com and LoginPress & Vanta,Js guide.

Not using LoginPress yet? What are you waiting for?

Leave a comment

Your email address will not be published.

triangular shape yellowish icon

Frequently Asked Questions (FAQs)

These FAQs answer the most common questions about our WordPress custom login page plugin.

three shapes icon

Is LoginPress WPML Compatible?

LoginPress is fully supported with multilingual. LoginPress is also compatible with WPML Plugin, which means you can easily translate your login page with WPML plugin according to the given translation options in the WPML plugin.

Is LoginPress translation ready?

Yes, LoginPress has full translation and localization support via the LoginPress textdomain. All .mo and .po translation files should go into the languages folder in the base of the plugin.

Is coding skills needed to use LoginPress?

No, It is very easy to setup. Just plug and play. Have fun!

How to Install or Use LoginPress Pro?

Step-by-step instructions on How to Upgrade from existing Free version to Pro
1. You have installed and set up the Free version already.
2. Upload the Pro version.
3. Pro features will be enabled automatically.
4. You don’t need to set up Free version options again.
5. Setup Pro features like Google fonts, Google reCaptcha, Choose themes, etc.

Where is my license key?

License key is the Order ID which looks like in this format.
WHI150807-1234-12345
You can find it in the email Sales Receipt.

three shapes icon

If you Still have Questions?

Get In Touch