How to Limit Login Attempts in WordPress
WordPress is one of the most popular platforms for making blogs and other kinds of websites. Now when millions of websites are powered by WordPress, hackers always try to find vulnerabilities in WordPress themes and plugins to hack WordPress-based websites. Some hackers also run brute force attacks on login pages to crack accounts. Most people use the default username admin for the blog. Even if someone changes the username, it is always visible in the author slug. So, hackers only need to guess the password. I wrote a detailed guide on how to protect WordPress from Brute Force Attacks.
The most common way to block brute force attacks is ‘limit login attempts.’ So, if a hacker or hacking script can only try 3 times, it won’t be easy to perform Bruteforce attach. Although, it isn’t foolproof is there is a Bruteforce script running with different IPs in each attempt. But this method can discourage general attempts where a person is trying different password combinations to hack into the website.
The easiest way to add login attempt limitation is by installing the “Limit Login Attempts Reloaded” plugin. This plugin stops brute-force attacks on WordPress login pages long with XMLRPC, Woocommerce, and custom login pages. Once the plugin blocks someone after failed login attempts, it also sends an email notification.
Here is the snapshot of Plugin’s settings page.
You can set the number of failed attempts a user can perform before being lockout. For example, 4 is set in the snapshot. You can also set the lockout time. So, after 4 failed attempts the IP will be blocked for the next 20 minutes. You can increase this time as per your need. Similarly, you can choose to receive an email about failed attempt. You can also whitelist or blacklist a set of IP addresses.
I also recommend users to start using Cloudflare. Even with the free service, you get a good level of protection against automated scripts that try to perform Bruteforce. If you are comfortable with the paid services, try Sucuri. Sucuri is the best company offering website security services. It also has the best WordPress firewall that adds a DNS-level website firewall. So all the traffic goes through a proxy that filters bad traffic.
You can also add a captcha on the WordPress login page, It will also block automated scripts from submitting login forms. I also recommend users use a strong password. A strong password is always hard to guess and hard to crack using Brute force attacks. If you find it hard to remember hard passwords, start using a good password manager. But never compromise with the security.