One of the most common methods that hackers use to gain access to a WordPress site is a brute force attack.

This is where a hacker uses a special computer program to try an endless number of username and password combinations until one finally works.

This is far more dangerous than a human trying to guess your password, because while a human can try a few passwords per minute, a brute force script can try thousands of passwords per second.

Brute force attacks are a serious threat to WordPress security. Given enough time and computing resources, a brute force attacker can eventually crack any password.

The best defense against brute force attacks is limiting the number of unsuccessful login attempts permitted from a single IP address.

One or two failed attempts could mean you or one of your users simply mistyped a password—but dozens or even hundreds of attempts indicate that your site is under attack, and the attacker should be blocked.

It’s very simple to do this with a plugin, and it’s one of the first things I implement on all of my production sites.

How To Limit WordPress Login Attempts With Loginizer

Loginizer is a WordPress plugin that blocks login attempts from a given IP address after it reaches the maximum number of permitted retries.

Once you’ve activated Loginizer, you can go to Loginizer Security > Brute Force in your WordPress dashboard to configure the plugin.

Loginizer Settings

Loginizer offers the following settings for its brute force protection:

  • Max Retries: The maximum number of failed attempts allowed before a user is locked out. I recommend setting this to at least 3 so you don’t lock yourself or your users out if someone mistypes or forgets their password.
  • Lockout Time: The amount of time (in minutes) a user will be locked out after maxing out their retries.
  • Max Lockouts: The maximum number of times a user can be locked out for the standard lockout time, after which they will be locked out for an extended period of time.
  • Extend Lockout: The number of hours a user will be locked out after exceeding the maximum number of standard lockouts.
  • Reset Retries: Failed login attempts for a given user will be reset after the number of hours you set here.
  • Email Notification: You can choose to be notified by email after a specified number of lockouts to alert you that your site is under attack.

At the top of the settings page, you can view a log of failed login attempts from the past 24 hours:

These logs can give you an idea of how frequently your site is being attacked, which URLs are being targeted, and where the attacks are coming from.

You can also blacklist or whitelist IP ranges:

This can be helpful if you want to block a repeated attacker indefinitely, or if you want to ensure that your IP address is never locked out inadvertently.

If you have any questions about the Loginizer plugin or limiting login attempts in WordPress, please feel free to leave them in the comments below!

  • Avatar Rebecca says:

    It seems that Loginizer has blocked access to the admin page of our WordPress website for all IP addresses, so we can’t get in. I even whitelisted our IP addresses so that we can get in, but it seemingly doesn’t work, we get the ”your IP address has been blacklisted’ even before we’ve entered our login details. Please help!

    • Hey Rebecca — that’s a weird one! I would contact Loginizer to see if they can shed some light on the situation. In the meantime, you can regain access by manually uninstalling the plugin via FTP. Log into your site via FTP, go to /wp-content/plugins/, and delete the loginizer folder. This will remove Loginizer from your site so you can get back in right away.