How to Limit Login Attempts in WordPress – Protect Your Website from Being Hacked

How to Limit Login Attempts in WordPress

There is a drastic increase in hacking attempts over the past few years. Thousands of websites are infected with some kind of malware each day. 75% of them are on the WordPress platform, which is a serious fact to consider.

The latest research reveals that 80% of the businesses suffered some sort of cyberattack over the past 12 months. Ransomware is the latest trend in the category, and the security experts predict that its damage costs will exceed $5 billion this year.

Hackers attempt to crack your WordPress system always. They will make repeated login attempts until they crack your website. Limit login attempts is the best possible solution to overcome this situation. Limit login retries on your site and if anyone exceeds the number within a short period of time, automatically disable the login function for the selected IP range.

What is a Brute-Force Attack?

How-to-Prevent-Brute-Force-Attacks

Nowadays, WordPress is used by millions of people from all over the world. It is used to manage business accounts and personal accounts.

In fact, there are millions of WordPress sites used for blogging, but there are also many sites that use WordPress to manage online stores and even their corporate websites. The popularity of WordPress has made it one of the most targeted sites for hackers.

Brute force attack is a cyberattack in which a hacker or a specially designed program tries to log into your site by trying many username-password combinations. They can combine letters and numbers, uppercase and lowercase letters, the first letters of the username and the last letters of the website name.

In a distributed brute force attack, the attack program can run on many machines and each machine can try a subset of passwords.

If s\ucceeded, the back end access of your website will fall into the hands of criminals. To get it back, you will have to pay them a huge amount depending on the value of your business.

However, sometimes it may not be effective. So it is very essential to secure your online business against hacking attempts. 

Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page.

Best Plugins to Limit Login Attempts on WordPress

Today, I am going to list the 7 best plugins to limit login attempts on WordPress. Most of them are free and allow you to block brute-force attacks in simple steps.

1. Solid Security Pro

Solid-security

Solid Security is the #1 WordPress security plugin. It covers many features like real-time security monitoring, vulnerability scan, two-factor authentication, bad bots detection, and more.

After activation, Open Security tab from the left pane of your dashboard. Visit Local BruteForce Protection module and configure the settings to limit login attempts in your WordPress blog.

It lets you lockout or permanently ban a user after he reaches the threshold limits. Device-based login is a unique feature of Solid Security Pro. All you have to do is add the devices you use to your Trusted Devices list. When you log in later, the plugin will automatically verify your identity and facilitate login as well as block login from other devices.

You can also secure login pages with two-factor authentication codes received via the mobile app, email, or backup. 

Demo & Download

2. Wordfence Security

Wordfence

Wordfence is a popular free WordPress security plugin with over 4 million downloads. It comes with several options to protect your website from being hacked or infected. The features include login security, spam filter, live traffic view, firewall, domain blacklist, malware scan, and so on.

After activation, visit the Wordfence menu from the left pane > Options and scroll down to locate login security options.

Wordfence limit login attempts

It will show you a number of options to enable login protection on your website. Set the maximum number of login attempts and forgot password attempts, lockout period, etc. Enable remaining checkboxes to enhance the security level of your logins. Ask the plugin to immediately lockout the invalid usernames and prevent hackers from detecting real usernames on your site through scans or API modules.

It also allows you to specify usernames for which IP addresses will be blocked immediately. Wordfence is open-source software that provides detailed statistics and notifications on various security events that occur on your website.

Demo & Download

3. Malcare

Malcare

Malcare is the most comprehensive security suite for WordPress. It scans your website at regular intervals to detect and remove malware before your business is getting infected.

Security threats need to be removed as soon as possible as Google may blacklist your site if it is not detected in time. Thanks to Malcare’s advanced threat detection technology and 1-click malware removal option. It reduces your hours of hard work and eliminates the risk of loss. 

Malcare blocks brute-force attacks with real-time firewall and Captcha protection. It will also block the user after making a certain number of failed login attempts. Uptime monitoring, vulnerability alerts, and daily backups are some other features that make Malcare an essential tool for business websites.

Demo & Download

4. All In One WP Security & Firewall

All-In-One-WP-Security

All in One WP Security & Firewall is another free security plugin for WordPress. It combines several security features that are essential to protect your blog website from being hacked.

After activation, go to WP Security > User Login to enable the login lockdown feature.

all in one WP security settings

Enable the feature and enter a value for max login attempts. If anyone exceeds the limit with failed login attempts, the same IP address will be locked out from further retries.

Set your lockout time length for which the blocked IP address will be prevented from logging in. The plugin allows you to instantly block invalid usernames and specific usernames as well.

Login Lockdown IP Whitelist is another main section where you can enter your own IP address, and it will never be blocked by the login lockdown feature.

There are four more related tabs in the User Login page. Failed Login Records, Force Logout, Account Activity Logs and Logged In Users.

Failed Login Records show IP address, Username, and time of each failed attempt.

Admins can force log out all users after a certain amount of time. They should log back to continue using the dashboard or service. Sometimes, we forget to log out from the site after writing or managing content, and it may result in some serious security breaches. Enable the feature and set a time limit to avoid such a situation.

Account Activity logs let you monitor the activities of logged-in users. If you are running a multi-author blog, know who’s online at the moment from Logged-In Users tab.

Demo & Download

5. Limit Login Attempts Reloaded

Limit-login-attempts-reloaded

Limit Login Attempts Reloaded is a good option to strengthen your WordPress login security. Downloaded more than 2 million times, it lets you limit login attempts per IP and automatically blocks the user for exceeding the limit. Lockout time can be set according to your preference and can be notified to the users through the login page if required.

This plugin keeps a history of blocked login attempts on the dashboard and notifies you via email. It is also possible to add IP addresses to safe list or block list. It is compatible with Woocommerce, multi-site, and other leading security plugins. 

Demo & Download

6. Loginizer

Loginizer

Loginizer is a simple plugin to fight against brute force hacking in WordPress. It comes with features of limit login attempts, blacklist IP, whitelist IP, etc.

After activation, it will add a new top-level menu on your dashboard; Loginizer Security. Open the settings and set your limits for maximum login retries, lockout period, and others. It will inform you about the failed login attempts through the plugin tab and by email.

Demo & Download

7. Login LockDown

Login-Lockdown

Login Lockdown is a free WordPress security plugin to limit login attempts  and prevent brute-force attacks on WordPress. It will record all failed login attempts on your site and when the number exceeds the limit, the login function will be disabled for the system.

After activation, open plugin menu from Settings > Login Lockdown.

login lockdown settings

Set your Maximum login retries, retry time period, and lockout length. Admin is a common username for WordPress websites. Hackers can easily guess such names. Replace the default ‘Admin’ username with your own for better security. Login Lockdown plugin also allows you to instantly block the invalid usernames from logging in.

Visit the Activity log on the top to view locked out IP addresses.

Demo & Download

Read The 9 Best WordPress Backup Plugins Compared in 2024

FAQ

Subscribe to Our Newsletter

Submit your details to get our blog post updates & latest product deals in your inbox. No spamming! We promise. After submission, don't forget to check your email to confirm subscription.

Tags: , , ,

4 thoughts on “How to Limit Login Attempts in WordPress – Protect Your Website from Being Hacked”

  1. Great article Manoj! I also would recommend to take a look at WPScans.com, a free online tool to find WordPress vulnerabilities.

    1. Hi Jonas,

      What a coincidence! I recently go through your website & impressed with its service. One of my upcoming posts is on malware scan and will feature your amazing tool there.

      Cheers!
      Have you a wonderful week ahead.

  2. Girl from Ceylon

    This is really useful descriptive article. As am also using the word press this is really helpful.I will implement them in my blog as well. Thank you for sharing

  3. I am trouble because the limit login attempts plugins are reading all of the ip addresses the same, and it is the one of my server, not the ip addresses of the user or the attackers. any advice?

Leave a Comment

Your email address will not be published. Required fields are marked *