One of the most common methods that hackers use to gain access to a WordPress site is a brute force attack.
This is where a hacker uses a special computer program to try an endless number of username and password combinations until one finally works.
This is far more dangerous than a human trying to guess your password, because while a human can try a few passwords per minute, a brute force script can try thousands of passwords per second.
Brute force attacks are a serious threat to WordPress security. Given enough time and computing resources, a brute force attacker can eventually crack any password.
The best defense against brute force attacks is limiting the number of unsuccessful login attempts permitted from a single IP address.
One or two failed attempts could mean you or one of your users simply mistyped a password—but dozens or even hundreds of attempts indicate that your site is under attack, and the attacker should be blocked.
It’s very simple to do this with a plugin, and it’s one of the first things I implement on all of my production sites.
Loginizer is a WordPress plugin that blocks login attempts from a given IP address after it reaches the maximum number of permitted retries.
Once you’ve activated Loginizer, you can go to Loginizer Security > Brute Force in your WordPress dashboard to configure the plugin.
Loginizer offers the following settings for its brute force protection:
At the top of the settings page, you can view a log of failed login attempts from the past 24 hours:
These logs can give you an idea of how frequently your site is being attacked, which URLs are being targeted, and where the attacks are coming from.
You can also blacklist or whitelist IP ranges:
This can be helpful if you want to block a repeated attacker indefinitely, or if you want to ensure that your IP address is never locked out inadvertently.
If you have any questions about the Loginizer plugin or limiting login attempts in WordPress, please feel free to leave them in the comments below!
Brad Merrill is the CEO of Merrill Media and Editor in Chief of GigaPress.
Are you missing out on the full power of your WordPress site because you’re not…
Are you looking to track visitors on your WordPress website, optimize ad performance, and increase…
If you’re wondering, “Is WordPress easy to use?” you’re not alone. Many beginners want a…
Shortcodes are an essential part of WordPress. Allowing users to quickly add dynamic content to…
Learning how to embed Facebook video in WordPress can take your site’s content to the…
Is your WordPress site still showing "Not Secure"? If so, you need to install an…
View Comments
Its a great tool but I do not seem able to extend the max lockout beyond 24 hours. When it is clearly a deliberate attack that is not enough.
It seems that Loginizer has blocked access to the admin page of our Wordpress website for all IP addresses, so we can't get in. I even whitelisted our IP addresses so that we can get in, but it seemingly doesn't work, we get the ''your IP address has been blacklisted' even before we've entered our login details. Please help!
Hey Rebecca -- that's a weird one! I would contact Loginizer to see if they can shed some light on the situation. In the meantime, you can regain access by manually uninstalling the plugin via FTP. Log into your site via FTP, go to
/wp-content/plugins/, and delete theloginizerfolder. This will remove Loginizer from your site so you can get back in right away.