Are you looking to Limit Login Attempts in WordPress?
WordPress allows users to enter unlimited incorrect usernames and passwords. Hackers exploit this feature to take access to the WordPress website by running a Brute Force Attack.
This article will show you why you should limit login attempts in WordPress and how you can do it to improve WordPress security.
Must Read: Automatically Log out Idle Users in WordPress
Why do you need to Limit Login Attempts in WordPress?
The most common way to hack into any account or device is to guess the username-password combination.
For a smartphone with 4 digit pin, the total number of passwords available is 10,000. A computer script can check all the 10,000 combinations in seconds to find the correct pin.
WordPress requires the password along with a username. Finding the username of an account is not that difficult, as it is typically a public key. However, the password is a private key, and only users know it.
While signing in to the account, the user requires both — a private key (username) and a public key (password). If the user is legit, he will type the correct combination to enter his account. Maybe he will take 2-3 chances if any misspells or typo occurs.
But if hackers are trying to guess the password, it will take multiple attempts to find the correct one.
WordPress, by default, allows the users to have unlimited failed logins. Hackers exploit the unlimited failed login setting of WordPress and run many guesses to find the one right password. It is known as Brute Force Attack.
Limiting login attempts limits the failed number of login attempts. It is a clean and straightforward way to improve WordPress login security.
How do Limit Login Attempts work?
Limiting Login Attempts does not let the user use incorrect passwords unlimited times.
After several failed login attempts, the page will become inaccessible to the user, and he has to use another way to log in.
For example, you can allow users to enter 3 incorrect passwords. However, after three failed login attempts, the person will be locked out of the account.
He has to:
- Contact the administrator
- Resetting the password using the registered email account
- OTP, Google Author Email Verification to prove their identity
- Solving a captcha to get more chances
The hackers and bots will not be able to continue after a few failed login attempts. These options will make them quit your site and move on to the next target.
How to Limit Login Attempts in WordPress? (With Plugin)
There is a way you can do this without a plugin, but that method is not that easy to follow. Also, you will not be able to whitelist and blacklist the IPs quickly.
Using a lightweight WordPress plugin will do the job effectively.
First of all, install and activate the Limit Login Attempts Reloaded plugin.
Many plugins can limit login attempts, but I choose Limit Login Attempts Reloaded because it has a good rating, and 1+ Million websites are using it.
Features of Limit Login Attempts Reloaded:
- Limit the number of retry attempts when logging in (per each IP).
- Configurable lockout timings.
- Informs the user about the remaining retries or lockout time on the login page.
- Email notification of blocked attempts.
- Logging of blocked attempts.
- Safelist/Blocklist of IPs and Usernames (Support IP ranges).
After activating the plugin, you will find it on the left navigation bar. Visit Settings >> Limit Login Attempts.
General Setting:
GDPR Compliance: Tick it to make the plugin GDPR compliant
GDPR Message: Message to show to the user
Notify on Lockout: Administrator email to get the notification for the incorrect login attempts.
App Settings:
Lockout: Here, you can enter the login retries you like to grant the users. Add the duration the user will be locked out of their account. There are other self-explanatory settings.
The plugin is as simple as it looks, and you can easily limit the login attempts in WordPress.
You can check logs to see all the failed login attempts that the plugin has resisted. In addition, if you notice any IP frequently attacking your site, you can block it from the Logs section.
In the Safelist, you can add the IP address and usernames of the accounts that you don’t want to be locked out of the account.
While blocklist will block any kind of login attempts from the selected IP addresses and usernames.
Should you limit login attempts on your website?
WordPress security is not doing one or a few things to make WordPress hacking free. Instead, it is to protect your website from exploiters and hackers by resisting the methods they are using to target your website.
The biggest reason for WordPress hacking is outdated/vulnerable themes and WordPress. The Brute Force Attacks are the second biggest reason.
Similar to hiding the WordPress version, limiting login attempts is not a necessary security feature, but adding it can enhance WordPress security.
Having an extra plugin might look heavy for some webmasters, but they can always go with a manual method. But for the small bloggers and businesses that cannot invest a lot in firewalls and other types of security, limiting login attempts is an excellent way to fight off brute force attacks.
Additional Tips
WordPress password is the first security layer of the website. You should always make a strong WordPress password on your website. It might be challenging to remember, but it is worth it.
The second thing is you should always keep the backup of WordPress. There are many plugins to automate the process. You can get your website back in minutes if you have a backup.
At ServerGuy, we provide automatic backups to all the WordPress sites. We are proud to say that it is next to impossible to hack a website on our server, so your business is completely secure. You can check the pricing plans here.
Besides limiting login attempts, you can add security questions to the login page. For now, bots cannot answer security questions. But I suggest using only one thing.
You must balance security with the user experience.
FAQ
Which plugin can be used to limit the number of login attempts in WordPress?
Limit Login Attempts Reloaded plugin can be used to limit the number of login attempts in WordPress. It is popular, with one million-plus activation and good reviews.
The free version is more than enough to do the job.
How do I unblock limit attempts in WordPress?
The easiest method to unblock limit attempts in WordPress is to delete the plugin from the database. You can access your database via FTP and cPanel.
Remove or rename the plugin to make the plugin non-functional on your website. Once you gain access to your website, you can install the plugin again.
Wrap Up
WordPress powers nearly 40% of the web, making it the favorite CMS of hackers.
Though the WordPress community is stronger than the WordPress exploiters, you can easily protect your WordPress website by following simple security measures.
Security begins from the login page, and by limiting login attempts in WordPress, you are making the hacker’s job much more difficult.
Simply install a plugin, and set it up to do its work.
If you have any questions or difficulty setting the plugin, leave it in the comment section.