WP Rocket - WordPress Caching Plugin

How to Limit Login Attempts in WordPress – Protect Your Website from Being Hacked

limit login attempts WordPress

There is a drastic increase in the hacking attempts over the past few years. Thousands of websites are infected with some kind of malware each day. 75% of them are on WordPress platform which is a serious fact to consider.

A latest research reveals that 80% of the businesses suffered some sort of cyber attack over the past 12 months. Ransomware is the latest trend in the category and the security experts predict that its damage costs will exceed $5 billion this year.

Hackers attempt to crack your WordPress system always. They will make repeated login attempts until they crack your website. Limit login attempts is the best possible solution to overcome this situation. Limit login retries on your site and if anyone exceeds the number within a short period of time, automatically disable login function for the selected IP range.

In this article, we’ll show you two best plugins to limit login attempts in your WordPress blog.

1. Wordfence Security

limit login attempts WordPress

Wordfence is the leader of WordPress security plugins with over 1 million downloads. It comes with several options to protect your website from being hacked or infected. The features include login security, spam filter, a live traffic view, firewall, domain blacklist, malware scan, and others.

After activation, visit Wordfence menu from the left pane > Options and scroll down to locate login security options.

limit login attempts WordPress

It will show you a number of options to enable login protection on your website. Set the maximum number of login attempts and forgot password attempts, lockout period, etc. Enable remaining checkboxes to enhance the security level of your logins. Ask the plugin to immediately lockout the invalid usernames and prevent discovery of real usernames through scans or API module.

It also allows you to specify usernames for which IP addresses will be blocked immediately. Wordfence is an open source software which provides detailed statistics and notifications on various security events occur on the site.

2. iThemes Security

limit login attempts wordpress

iThemes Security is a popular plugin with incredible security features. It has a beautiful interface where you can customize each and every part of the tools. iThemes’ modules include 404 detections, away mode, database backup, file change detection, SSL configuration, WordPress tweaks and many more.

After activation, Open Security from the left pane of your dashboard. Visit Local BruteForce Protection module and configure the settings to limit login attempts in your WordPress blog.

It lets you lockout or permanently ban a user after he reaches the threshold limits. Lockout whitelist, network brute-force protection, block specific IP addresses are some of the remaining features of the plugin.

3. All In One WP Security & Firewall

limit login attempts WordPress

All in One WP Security & Firewall is my favorite security plugin for WordPress. It combines several security features which are essential to protect your blog website from being hacked.

After activation, go to WP Security > User Login to enable login lockdown feature.

limit login attempts WordPress

Enable the feature and enter a value for max login attempts. If anyone exceeds the limit with failed login attempts, the same IP address will be locked out from further retries.

Set your lockout time length for which the blocked IP address will be prevented from logging in. The plugin allows you to instantly block invalid usernames and specific usernames as well.

Login Lockdown IP Whitelist is another main section where you can enter own IP address and it will never be blocked by the login lockdown feature.

There are four more related tabs in the User Login page. Failed Login Records, Force Logout, Account Activity Logs and Logged In Users.

Failed Login Records shows IP address, Username and time of each failed attempt.

Admins can force log out all users after a certain amount of time. They should log back to continue using the dashboard or service. Sometimes, we forget to log out from the site after writing or managing contents and it may result in some serious security breaches. Enable the feature and set a time limit to avoid such a situation.

Account Activity logs let you monitor the activities of logged in users. If you are running a multi-author blog, know who’s online at the moment from Logged In Users tab.

Read How to Secure Your WordPress Website in 5 minutes

4. Loginizer

limit login attempts wordpress

Loginizer is a simple plugin to fight against brute force hacking in WordPress. It comes with features of limit login attempts, blacklist IP, whitelist IP, etc.

After activation, it will add a new top-level menu on your dashboard; Loginizer Security. Open the settings and set your limits for maximum login retries, lockout period and others. It will inform you about the failed login attempts through the plugin tab and by email.

5. Login LockDown

limit login attempts WordPress

Login Lockdown is another plugin to limit login attempts in WordPress. It will record all failed login attempts on your site and when the number exceeds the limit, the login function will be disabled for the system.

After activation, open plugin menu from Settings > Login Lockdown.

limit login attempts WordPress

Set your Maximum login retries, retry time period and lockout length. Admin is a common username for WordPress websites. Hackers can easily guess such names. Replace the default ‘Admin’ username with your own for better security. Login Lockdown plugin also allows you to instantly block the invalid usernames from logging in.

Visit Activity log on the top to view locked out IP addresses.

Read Top 8 Best WordPress Security Plugins to Detect Hacking Script on Your Site