As a WordPress website owner, you might know brute force attacks are the most common type of cyber attack that your website might experience.
In simple words, brute force attacks are when someone tries to get past your website’s security system by continuously guessing the password until they successfully break into your website.
However, these brute force attacks can be prevented by limiting the login access to your WordPress website.
In this post, we have featured a step-by-step walkthrough that demonstrates how to limit the login access on WordPress.
Here’s a quick index to help you navigate this article:
Before rushing to the guide, let’s take a sneak peek into the reasons why you should limit login attempts on WordPress.
Why Should You Limit Login Attempts on WordPress?
WordPress is safe and secure and takes the security of your websites very seriously. However, when it comes to login attempts, WordPress allows users to enter passwords unlimited times.
Hackers could use this as an opportunity to break into your website after repeated attempts.
In order to prevent such a scenario, you need to limit the login attempts of your website per user. Once you limit the login attempts per user, if a user surpasses the limit for login attempts, he/she will get blocked temporarily.
Related Reading: The Ultimate WordPress Security Guide
Let’s say someone has attempted to login to your website and has made five failed attempts. If you have set your login limit to five attempts, then at that point your WordPress website will automatically block their IP address temporarily.
You can tweak the configuration to make changes to the number of login attempts, the blocking duration, and other factors.
You can increase the limit on login attempts 5, 10, or even more. Similarly, you can also increase blocking time by 5 minutes, 10 minutes, and so on.
The benefits of limiting login attempts to your WordPress website are as follows:
- Limiting login attempts restricts automated bots and humans from trying to log in to WordPress websites thousands of times in a row by continuing to guess at your password.
- If a user is legitimate, they could possibly use the wrong login details once or twice. Otherwise, they will use the right username and password every time, as they are legitimate users.
- When bots and hackers try to access your website and get blocked temporarily, this temporary lockout is usually enough to prevent brute force attacks on your WordPress website.
Now that you know the benefits of limiting users’ login attempts, let’s get into steps of how to limit login attempts on your WordPress website.
Step-by-step Guide to Limit Login Attempts on WordPress
WordPress makes it super easy to limit login attempts by using plugins like Limit Login Attempts Reloaded. This plugin is the best shot to limit the login attempts on your WordPress site.
We choose the Limit Login Attempts Reloaded plugin because it works out of the box once you install and activate it, it is 100% free, and it’s easy to use.
The plugin doesn’t come with any complex configuration options, but it does feature some easy-to-use customization options.
Limited Login Attempts Reloaded also comes with configuration and settings options that enable you to and whitelist or blacklist usernames and IPs of your choice.
Let’s get started with the guide.
Step #1: Install & Activate Limit Login Attempts Reloaded Plugin
Navigate to your WordPress dashboard and go to Plugins >> Add New. Then, make the search for “Limit Login Attempts Reloaded“.
Scroll a bit until you locate the plugin, and once you find it click on the “Install Now” button. Once the plugin is installed, make sure to activate it right away.
Step #2: Customize the Plugins Settings
After the plugin activation, the plugin will start working straight away. By default, the plugin allows users to enter their username and password four times only. If they use all the four attempts, they will be blocked.
The best part, the plugin enables you to customize and modify the login attempts frequency. To make the changes navigate to Settings >> Limit Login Attempts.
On the screen, you will see the allowed retries, lockout duration, and hours until the retries are reset.
You can also enable the “Notify on lockout” section, which will send admins a notification email after the number of predefined lockouts.
In the statistics section, you’ll see the number of lockouts made by the plugin to date. As of now, you might not be able to see any data under the stats section as you have just installed and activated the plugin.
Under the “GDPR Compliance” section, you will even be able to enable the GDPR compliance settings.
Once you scroll down a bit, you will be able to find out a section called the “Whitelist and Blacklist“. In this particular section, you can easily enter specific IPs and usernames to whitelist or blacklist them.
In the whitelist tab, if you’re adding a user to your whitelist, they will be able to log in to your WordPress website with unlimited username and password attempts.
These whitelist users won’t be getting blocked after trying a certain number of times. To whitelist users, you can add their IP address and their usernames in the whitelist tab.
When you add someone to blacklist, you’re permanently locking them out. Adding users to the blacklist is easy. All you need to do is add the user’s IP address and the usernames in the blacklist tab.
This option comes in handy when you see a lot of suspicious activity coming from one or some other specific IP addresses.
Once you’re done making all the changes, make sure you save changes to make your new configuration go live.
This simple process is all you need to do to limit the login attempts on your WordPress website quickly and easy.
By now, you should have a clear idea why you should limit the login attempts on your WordPress website. With our step-by-step walkthrough you can easily limit the login attempts on your WordPress website.
What methods do you use to limit the login attempts on your WordPress website? Have you used a different plugin or tried limiting login attempts using custom code?
Feel free to share your thoughts in the comments section below. If this post helped you, you can share it on social media platforms such as Facebook, LinkedIn, and Twitter.
Other WordPress Tutorial Guides:
- Ultimate WordPress Security Guide
- How to Get Started With WordPress Blog
- How to Install WordPress on Windows
- How to Create the Best WordPress Staging Site
- How to Make WordPress Site Live
- How to Recover a Hacked WordPress Site
- How to Add Custom Fonts to WordPress
- How to Speed Up WordPress Site
- How to Stop Users From Sharing Passwords in WordPress
- How to Add Security Questions to Your WordPress Login Screen
- How to Display Users’ Last Login Date/Time in WordPress
- How to Limit Login Attempts on WordPress