• Start Here
  • Blog
    • Blogging
    • SEO
    • Themes
    • Plugins
    • Hosting
  • Tutorials
    • Create A Website
    • Start A Blog
    • WordPress SEO
    • Speed Up WordPress
    • WordPress Security
  • Tools
    • WordPress Hosting
    • Caching Plugins
    • Security Plugins
    • Comment Plugins
No Results
View All Results
GigaPress
  • Start Here
  • Blog
    • Blogging
    • SEO
    • Themes
    • Plugins
    • Hosting
  • Tutorials
    • Create A Website
    • Start A Blog
    • WordPress SEO
    • Speed Up WordPress
    • WordPress Security
  • Tools
    • WordPress Hosting
    • Caching Plugins
    • Security Plugins
    • Comment Plugins
No Results
View All Results
GigaPress

How To Limit Login Attempts In WordPress

Brad Merrill by Brad Merrill
3
How To Limit Login Attempts In WordPress
Share on FacebookShare on Twitter

One of the most common methods that hackers use to gain access to a WordPress site is a brute force attack.

This is where a hacker uses a special computer program to try an endless number of username and password combinations until one finally works.

This is far more dangerous than a human trying to guess your password, because while a human can try a few passwords per minute, a brute force script can try thousands of passwords per second.

Brute force attacks are a serious threat to WordPress security. Given enough time and computing resources, a brute force attacker can eventually crack any password.

The best defense against brute force attacks is limiting the number of unsuccessful login attempts permitted from a single IP address.

One or two failed attempts could mean you or one of your users simply mistyped a password—but dozens or even hundreds of attempts indicate that your site is under attack, and the attacker should be blocked.

It’s very simple to do this with a plugin, and it’s one of the first things I implement on all of my production sites.

How To Limit WordPress Login Attempts With Loginizer

Loginizer is a WordPress plugin that blocks login attempts from a given IP address after it reaches the maximum number of permitted retries.

Loginizer

Once you’ve activated Loginizer, you can go to Loginizer Security > Brute Force in your WordPress dashboard to configure the plugin.

Loginizer Settings

Loginizer offers the following settings for its brute force protection:

  • Max Retries: The maximum number of failed attempts allowed before a user is locked out. I recommend setting this to at least 3 so you don’t lock yourself or your users out if someone mistypes or forgets their password.
  • Lockout Time: The amount of time (in minutes) a user will be locked out after maxing out their retries.
  • Max Lockouts: The maximum number of times a user can be locked out for the standard lockout time, after which they will be locked out for an extended period of time.
  • Extend Lockout: The number of hours a user will be locked out after exceeding the maximum number of standard lockouts.
  • Reset Retries: Failed login attempts for a given user will be reset after the number of hours you set here.
  • Email Notification: You can choose to be notified by email after a specified number of lockouts to alert you that your site is under attack.

At the top of the settings page, you can view a log of failed login attempts from the past 24 hours:

These logs can give you an idea of how frequently your site is being attacked, which URLs are being targeted, and where the attacks are coming from.

You can also blacklist or whitelist IP ranges:

This can be helpful if you want to block a repeated attacker indefinitely, or if you want to ensure that your IP address is never locked out inadvertently.

If you have any questions about the Loginizer plugin or limiting login attempts in WordPress, please feel free to leave them in the comments below!

Previous Post

How To Allow Contributors To Upload Images In WordPress

Next Post

Animated GIFs Not Working In WordPress? Here’s The Fix

Brad Merrill

Brad Merrill

Brad Merrill is the CEO of Merrill Media and Editor in Chief of GigaPress.

Next Post
Animated GIFs Not Working In WordPress? Here’s The Fix

Animated GIFs Not Working In WordPress? Here's The Fix

  • Avatar Jules says:
    at

    Its a great tool but I do not seem able to extend the max lockout beyond 24 hours. When it is clearly a deliberate attack that is not enough.

    Reply
  • Avatar Rebecca says:
    at

    It seems that Loginizer has blocked access to the admin page of our WordPress website for all IP addresses, so we can’t get in. I even whitelisted our IP addresses so that we can get in, but it seemingly doesn’t work, we get the ”your IP address has been blacklisted’ even before we’ve entered our login details. Please help!

    Reply
    • Avatar Brad Merrill says:
      at

      Hey Rebecca — that’s a weird one! I would contact Loginizer to see if they can shed some light on the situation. In the meantime, you can regain access by manually uninstalling the plugin via FTP. Log into your site via FTP, go to /wp-content/plugins/, and delete the loginizer folder. This will remove Loginizer from your site so you can get back in right away.

      Reply
  • No Results
    View All Results

    Join The Community

    Be the first to see the latest WordPress tips, tricks, tutorials, and reviews from GigaPress.

    GigaPress is free and reader-supported. When you make a purchase through one of our links, we may receive a commission at no additional cost to you.

    Essential Resources

    How To Create A Website: Step-By-Step Beginner’s Guide
    Tutorials

    How To Create A Website: Step-By-Step Beginner’s Guide

    December 9, 2020
    How To Start A Successful Blog In 2021: The Definitive Guide
    Blogging

    How To Start A Successful Blog In 2021: The Definitive Guide

    December 13, 2020
    How To Speed Up Your WordPress Site: The Only Guide You Need
    Tutorials

    How To Speed Up Your WordPress Site: The Only Guide You Need

    April 3, 2020
    WordPress Security: The Complete Step-By-Step Guide
    Security

    WordPress Security: The Complete Step-By-Step Guide

    August 13, 2019
    WordPress SEO Tutorial: The Complete Guide To Higher Rankings
    SEO

    WordPress SEO Tutorial: The Complete Guide To Higher Rankings

    July 19, 2019

    Get The Newsletter

    Join our newsletter to get the best WordPress tips and tutorials every week.
      GigaPress

      © 2021 GigaPress
      A Merrill Media Publication

      Site Links

      • Start Here
      • Tools
      • About
      • Contact
      • Privacy

      Follow Us

      No Results
      View All Results
      • Start Here
      • Blog
        • Blogging
        • SEO
        • Themes
        • Plugins
        • Hosting
      • Tutorials
        • Create A Website
        • Start A Blog
        • WordPress SEO
        • Speed Up WordPress
        • WordPress Security
      • Tools
        • WordPress Hosting
        • Caching Plugins
        • Security Plugins
        • Comment Plugins

      © 2021 GigaPress
      A Merrill Media Publication

      Welcome Back!

      Login to your account below

      Forgotten Password?

      Create New Account!

      Fill the forms bellow to register

      All fields are required. Log In

      Retrieve your password

      Please enter your username or email address to reset your password.

      Log In

      Session expired

      Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.

      >