How to Limit Login Attempts in WordPress – Protect Your Website from Being Hacked

Share this

limit login attempts WordPress

There is a dramatic increase in the hacking attempts over the past few years. Thousands of websites are infected with some kind of malware each day. 75% of them are on WordPress platform which is a serious fact to consider.

A latest research reveals that 80% of the businesses suffered some sort of cyber attack over the past 12 months. Ransomware is the latest trend in the category and the security experts predict that its damage costs will exceed $5 billion this year.

Hackers attempt to invade into your WordPress system always. They will make repeated login attempts until they crack your website. Limit login attempts is the best possible solution to overcome this situation. Limit login retries in your site and if anyone exceeds the number within a short period of time, automatically disable login function for the selected IP range.

In this article, we’ll show you two best plugins to limit login attempts in your WordPress blog.

1. All In One WP Security & Firewall

limit login attempts

All in One WP Security & Firewall is a popular security plugin for WordPress. It combines several security features which are essential to protect your blog website from being hacked.

After activation, go to WP Security > User Login to enable login lockdown feature.

limit login attempts WordPress

Enable the feature and enter a value for max login attempts. If anyone exceeds the limit with failed login attempts, the same IP address will be locked out from further retries.

Set your lockout time length for which the blocked IP address will be prevented from logging in. The plugin allows you to instantly block invalid usernames and specific usernames as well.

Login Lockdown IP Whitelist is another main section where you can enter own IP address and it will never be blocked by the login lockdown feature.

There are four more related tabs in the User Login page. Failed Login Records, Force Logout, Account Activity Logs and Logged In Users.

Failed Login Records shows IP address, Username and time of each failed attempt.

Admins can force log out all users after a certain amount of time. They should log back to continue using the dashboard or service. Sometimes, we forget to log out from the site after writing or managing contents and it may result in some serious security breaches. Enable the feature and set a time limit to avoid such a situation.

Account Activity logs lets you monitor the activities of logged in users. If you are running a multi-author blog, know who’s online at the moment from Logged In Users tab.

Read How to Secure Your WordPress Website in 5 minutes

2. Login LockDown

limit login attempts WordPress

Login Lockdown is another plugin to limit login attempts in WordPress. It will record all failed login attempts on your site and when the number exceeds the limit, the login function will be disabled for the system.

After activation, open plugin menu from Settings > Login Lockdown.

limit login attempts WordPress

Set your Maximum login retries, retry time period and lockout length. Admin is a common username for WordPress websites. Hackers can easily guess such names. Replace the default ‘Admin’ username with your own for better security. Login Lockdown plugin also allows you to instantly block the invalid usernames from logging in.

Visit Activity log on the top to view locked out IP addresses.

Read Top 8 Best WordPress Security Plugins to Detect Hacking Script in Your Site

Share this
  • Great article Manoj! I also would recommend to take a look at, a free online tool to find WordPress vulnerabilities.

    • Hi Jonas,

      What a coincidence! I recently go through your website & impressed with its service. One of my upcoming posts is on malware scan and will feature your amazing tool there.

      Have you a wonderful week ahead.