Why and How Should You Limit Login Attempts in WordPress?

Blair Jersyer WordPress Tutorials Nov 10, 2021

Do you want to restrict the number of login attempts in WordPress?

Hackers may attempt to guess your admin password via a brute force attack. Limiting the number of times somebody can attempt to log in reduces their chances of success dramatically.

We'll teach you how and why you should limit login attempts on your WordPress site in this post.

Why and How Should You Limit Login Attempts in WordPress?

A brute force assault is a way of hacking into your WordPress website that relies on trial and error.

Elementor Black Friday

Enjoy Amazing Deals Up to 50% Off

Start Now

Password guessing is the most popular sort of brute force attack. Hackers utilize automated tools to guess your login details in order to get access to your website.

WordPress by default enables users to input passwords as many times as they wish. Hackers may try to take advantage of this by employing programs that input several combinations until they predict the correct login.

Limiting the number of unsuccessful login attempts per user might help you avoid brute-force attacks. For example, after 5 failed login attempts, you may temporarily lock a user out.

Unfortunately, some users find themselves locked out of their own WordPress website after repeatedly entering their password incorrectly. If you find yourself in this scenario, please follow the instructions in our tutorial on how to limit login attempts in WordPress.

With everything out of the way, let's look at how to limit login attempts on your WordPress website.

How to Limit Login Attempts in WordPress

First, install and activate the Limit Login Attempts Reloaded plugin. This tutorial requires just the free version. After activation, navigate to the Settings » Limit Login Attempts page and click on the Settings tab at the top.

The default settings will work for most websites, but we'll show you how to tweak the plugin settings for your own site.

To comply with GDPR legislation, tick the 'GDPR compliance' checkbox to display a notification on your login page. More information on the GDPR may be found in our guide on WordPress and GDPR compliance.

Following that, you may specify whether you want to be alerted when someone is locked out. If you choose, you may alter the email address to which the notice is delivered. By default, you will be alerted if the user is locked out for the third time.

After that, scroll down to the Local App area, where you may specify how many login attempts are allowed and how long a user must wait before trying again.

First, you must specify how many login attempts are permitted. After that, specify how long a user must wait if they surpass the number of failed tries. The timer is set at 20 minutes by default.

You may also raise the wait time after a certain number of times the user has been locked out. For example, if a user has been locked out four times, the default settings will prevent them from attempting to log in for 24 hours.

For security reasons, it is not suggested that you modify the 'Trusted IP Origins' setting.

Don't forget to save your changes by clicking the Save Settings button at the bottom of the screen.

Pro Tips for Keeping Your WordPress Website Safe

Limiting login attempts is only one method for keeping your WordPress site safe.

Your passwords are the first line of defense for your WordPress website. On your WordPress site, you should always use strong passwords.

Strong passwords might be tough to remember, but a password manager can help. If you have a multi-author WordPress site, learn how to require users to use secure passwords in WordPress.

If your WordPress login page is still being hacked, you may add another layer of security by using Google reCAPTCHA for WordPress login. This will assist to limit DDoS assaults even more.

No website is completely secure because hackers are always devising new methods to circumvent the system. That is why it is critical that you always preserve comprehensive backups of your WordPress site. UpdraftPlus or another popular WordPress backup plugin is recommended.

If your website is a company, we highly advise you to install a firewall that protects against brute force assaults and much more. We utilize Sucuri, which ensures our security, and if anything goes wrong with our site, their staff will fix it for free.

We hope this guide was useful in teaching you how to restrict login attempts in WordPress. You might also be interested in learning how to pick the finest WordPress hosting or browsing our list of must-have plugins for growing your website.

Divi WordPress Theme