While WordPress itself is a secure platform, this doesn’t make your site immune to break-ins. One of the most common attacks is human or bot hackers trying to force their way through your login page by trying various username and password combinations until something works. To keep them from succeeding, you can use a WordPress limit login attempts plugin.
By default, people can continuously try to log into your site, with no restrictions on attempts. However, most legitimate users won’t need more than a few tries (at most). Therefore, you can limit the number of login attempts made from a specific IP address in a set amount of time. Any user who goes over the limit can be temporarily or permanently locked out.
In this post, we’re going to show you how to set the feature up using a free WordPress limit login attempts plugin. Then, we’ll share some of the pros and cons of this approach. Let’s get to work!
Step 1: Install the WordPress limit login attempts plugin
For most users, a WordPress limit login attempts plugin is the best option to restrict login attempts. There are several quality options, but we recommend the free Limit Login Attempts Reloaded plugin because it’s:
- 100% free.
- Popular – active on over 1 million sites, according to WordPress.org.
- Well-rated – a 4.8-star rating (out of 5).
- Easy to use.
While the plugin is easy to use at a basic level (it starts working as soon as you activate it), it also boasts a variety of configuration options, including some handy extras (such as the ability to whitelist or blacklist both IPs and usernames).
To get started, install and activate the Limit Login Attempts Reloaded plugin at your WordPress site. If you’re not sure how to install a WordPress plugin.
Step 2: Customize the plugin’s settings
As soon as you activate the plugin, it starts working right away. By default, users get four guesses before the plugin locks them out:
However, the plugin also provides a settings area where you can modify how this functionality works.
To access this area, go to Settings > Limit Login Attempts:
In the Statistics section, you can find details about how many ‘lockouts’ have occurred due to the plugin. This will be empty right now, but you can check back later to see how many potential brute force attempts the plugin has halted.
Then, under Options, you can customize how the lockout system works. This includes deciding how many guesses the plugin will allow, the length of time users will be locked out for, and more. You can even enable a GDPR-compliance setting, which will obfuscate all recorded IPs for privacy reasons.
Scrolling down a bit, you’ll also find sections labeled Whitelist and Blacklist:
Here, you can enter specific IPs and/or usernames. If you add a user to the whitelist, they’ll be able to log into your site as many times as they’d like, and won’t have to worry about getting locked out.
Adding someone to the blacklist, on the other hand, will permanently lock them out. The latter option is handy if you see a lot of suspicious activity coming from one or more specific IP addresses.
Don’t forget to save your changes to this page when you’re done configuring the settings. That’s all you need to do to limit login attempts in WordPress!
Thanks for reading……
Nice blog something learn new