Categories: SecurityTutorials

How To Limit Login Attempts In WordPress

One of the most common methods that hackers use to gain access to a WordPress site is a brute force attack.

This is where a hacker uses a special computer program to try an endless number of username and password combinations until one finally works.

This is far more dangerous than a human trying to guess your password, because while a human can try a few passwords per minute, a brute force script can try thousands of passwords per second.

Brute force attacks are a serious threat to WordPress security. Given enough time and computing resources, a brute force attacker can eventually crack any password.

The best defense against brute force attacks is limiting the number of unsuccessful login attempts permitted from a single IP address.

One or two failed attempts could mean you or one of your users simply mistyped a password—but dozens or even hundreds of attempts indicate that your site is under attack, and the attacker should be blocked.

It’s very simple to do this with a plugin, and it’s one of the first things I implement on all of my production sites.

How To Limit WordPress Login Attempts With Loginizer

Loginizer is a WordPress plugin that blocks login attempts from a given IP address after it reaches the maximum number of permitted retries.

Once you’ve activated Loginizer, you can go to Loginizer Security > Brute Force in your WordPress dashboard to configure the plugin.

Loginizer Settings

Loginizer offers the following settings for its brute force protection:

  • Max Retries: The maximum number of failed attempts allowed before a user is locked out. I recommend setting this to at least 3 so you don’t lock yourself or your users out if someone mistypes or forgets their password.
  • Lockout Time: The amount of time (in minutes) a user will be locked out after maxing out their retries.
  • Max Lockouts: The maximum number of times a user can be locked out for the standard lockout time, after which they will be locked out for an extended period of time.
  • Extend Lockout: The number of hours a user will be locked out after exceeding the maximum number of standard lockouts.
  • Reset Retries: Failed login attempts for a given user will be reset after the number of hours you set here.
  • Email Notification: You can choose to be notified by email after a specified number of lockouts to alert you that your site is under attack.

At the top of the settings page, you can view a log of failed login attempts from the past 24 hours:

These logs can give you an idea of how frequently your site is being attacked, which URLs are being targeted, and where the attacks are coming from.

You can also blacklist or whitelist IP ranges:

This can be helpful if you want to block a repeated attacker indefinitely, or if you want to ensure that your IP address is never locked out inadvertently.

If you have any questions about the Loginizer plugin or limiting login attempts in WordPress, please feel free to leave them in the comments below!

Brad Merrill

Brad Merrill is the CEO of Merrill Media and Editor in Chief of GigaPress.

View Comments

  • Its a great tool but I do not seem able to extend the max lockout beyond 24 hours. When it is clearly a deliberate attack that is not enough.

  • It seems that Loginizer has blocked access to the admin page of our Wordpress website for all IP addresses, so we can't get in. I even whitelisted our IP addresses so that we can get in, but it seemingly doesn't work, we get the ''your IP address has been blacklisted' even before we've entered our login details. Please help!

    • Brad Merrill says:

      Hey Rebecca -- that's a weird one! I would contact Loginizer to see if they can shed some light on the situation. In the meantime, you can regain access by manually uninstalling the plugin via FTP. Log into your site via FTP, go to /wp-content/plugins/, and delete the loginizer folder. This will remove Loginizer from your site so you can get back in right away.

Recent Posts

How to Reset WordPress: Step-by-Step Guide for Beginners

Are you looking to reset a WordPress site and start fresh? Reset a WordPress Site…

5 days ago

WordPress vs. Wix: Which Platform Is Right for You?

Ready to build your online presence? Choosing the right platform between Wix vs. WordPress is a crucial first…

5 days ago

How to Change Favicon in WordPress: A Step-by-Step Guide

Changing your favicon in WordPress is a small yet powerful way to improve your website’s…

6 days ago

How to Embed a PDF in WordPress

Have you been searching for the easiest way to share PDF files directly on your…

1 week ago

How to Add Social Media Icons to WordPress Header: A Complete Step-by-Step Guide

Ever notice how professional websites seamlessly display social media icons in their headers? Adding social…

1 week ago

How to Clear Cache on WordPress: A Step-by-Step Guide

WordPress caching is an incredible tool for boosting your website’s performance. It helps deliver faster…

1 week ago