How and Why you should Limit Login Attempts in your WordPress

Why you need to Limit Login Attempts in WordPress?

By default, WordPress allows users to enter passwords as many times as they want. Hackers may try to exploit this by using scripts that enter different combinations until your website cracks.

To prevent this, you can limit the number of failed login attempts per user.

For example, you can say after 5 failed attempts, lock the user out temporarily.

If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.

How to Limit Login Attempts in WordPress?

First thing you need to do is install and activate the Login LockDown plugin. Upon activation, you need to visit Settings » Login LockDown page to configure the plugin settings.

First you need to define how many login attempts can be made. After that choose how long a user will be unable to retry if they exceed the failed attempts.

You can also define the lockout period for IP range blocks. The default value is 60 minutes, you can adjust that if you need.

The plugin will allow users to keep trying different invalid usernames. Click on yes under lockout invalid usernames option to stop this.

By default, WordPress lets users know that whether they entered an invalid username or invalid password on failed logins. You can hide this by clicking yes under mask login errors option.

Don’t forget to click on the update settings button to store your changes.

Pro Tip

The first layer of protection to your WordPress sites is your passwords. You should always use strong passwords on your WordPress site. We understand that strong passwords are difficult to remember. But see our beginner’s guide which shows the best way to manage passwords for WordPress users.

If you run a multi-author WordPress site, then see how you can force strong passwords on users in WordPress.