Most secure websites (and even webmail accounts) block the internet address of a potential attacker for a few hours after a certain number of failed login attempts.
WordPress doesn’t – so an attacker can try to brute-force crack your login password through the login page or by sending special cookies.
Limit Login Attempts is a free WordPress plugin to limit the number of login attempts any visitor can make – both through normal login as well as using special (auth) cookies.
Limit Login Attempts
The plugin blocks an internet (IP) address from making any further attempts to login after a specified limit on retries is reached, making a brute-force attack almost impossible.
- Limits the number of retry attempts when logging in (for each IP)
- Limits the number of attempts to log in using auth cookies in the same way
- The WordPress Login screen informs the user of remaining retries as shown in the image below – once an attacker sees that login attempts are limited they will likely give up and try hacking another site instead
- Lockout the IP address after specified number of retries
- Optional – log the IP of users who have been locked out
- Optional – email the site Admin after a lockout
- Handles server behind reverse proxy (not applicable to most users)
- Possible to whitelist IP addresses using a filter e.g. to prevent your own IP address from being locked out – only of use if you have a static IP address (most users don’t)
- Translations available for 17 languages
Using Limit Login Attempts
Download from the WordPress Plugin Directory here or install from within WordPress via the ‘new plugin’ search.
Activate the plugin and go to the Limit Login Attempts configuration page – within the WordPress ‘Settings’ tab:
Here you can specify the number of allowed retries, minutes to lockout and notifications etc – the default options are usually ok but see the Plugin FAQ section for further info. You can also see the Lockout log showing which IPs have been locked out.
The FAQ page also has instructions for what to do if you lock yourself out by trying the wrong password too many times…
Should You Block A Bad IP From Your Whole Site?
If a particular IP keeps appearing in the logs, you may wish to consider blocking it from your entire WordPress site, not just the Login screen.
You could do this via .htaccess or, more easily, via cPanel (using the IP Deny Manager in the Security section).
However, bear in mind that an attacker could easily spoof IP or switch to another IP and the IP may actually be dynamic – you might potentially be blocking a legitimate user from visiting your site in future. If you have a lot of attacks you may also end up wasting a lot of time trying to block every bad IP from your entire site.
Don’t Use Admin As WordPress Username
If you chose the Log IP option (recommended) and your site is popular it may only be a matter of hours before the log starts to display a list of blocked attackers – there are a lot of them out there…
The log will show that most try to log in as admin – the standard WordPress Admin username. For best security, change your WordPress Admin username to something else – not only will a hacker have to guess the password, they will also have to guess the Admin username too.
Hopefully it should go without saying that, regardless of how many extra security steps you take, your login password(s) should be very strong to help protect your WordPress site.
See our guide to test your password strength.
WordPress sites are frequently targeted by hackers using brute-force (dictionary) automated attacks to guess your login password.
Using the Limit Login Attempts plugin can help prevent such sustained attacks (which can also slow down your site) and change your Admin username to provide an extra layer of protection.