How To Limit Login Attempts In WordPress?
By Gowdham | October 9, 2024
WordPress itself is a secure platform. But this doesn’t help your site immune to break-ins. One of the major attacks is human or bot hackers trying to enter your login page by trying various username and password combinations. It’s called a brute force attack. A brute force attack uses trial and error to hack into your WordPress website.
The common type of brute force attack is password guessing. Hackers use automated software to guess your login information so they can gain access to your website.
By default, people can keep on trying to log into your site, with no restrictions on attempts. However, most users won’t need more than a few tries. You can limit login attempts to prevent these brute-force attacks with a number of failed login attempts per user. For example, you can temporarily block a user out after 3 failed login attempts.
Why We Should Limit Login Attempts In WordPress?
WordPress allows users to enter an unlimited amount of incorrect login details, there is nothing stopping the trial-and-error approach. However, imagining a person actually typing in this information will be sorely mistaken.
Hackers will use scripts that allow them to enter login information much quicker. While it is common for a user to forget their password or accidentally enter their information incorrectly once or twice, they certainly do not need unlimited tries. So we need to limit login attempts in WordPress.
Features of Limit Logins In WordPress:
- Captcha Verification
- Lightweight plugin
- Login Security – Limit login attempts
- Redirect to the home page, when the abnormal request
- The mechanism for slowing down brute force attack
How to Limit Login Attempts In WordPress?
Step 1:
First login to your WordPress Dashboard.
Step 2:
Then you need to install and activate the Limit Login Attempts Reloaded plugin for your site. Go to the Plugins option on the left side of your Dashboard.
Click on Plugins and select the Add New option on the left-hand admin panel.
Upon activation, you can see that Plugin on your Dashboard, as shown in the above image.
Step 3:
The default settings will work for most websites. Sometimes we need to change the settings. It is simple to use, but extremely effective.
Now we need to change the settings. You should visit the Settings -> Limit Login Attempts page and then click on the Settings tap at the top.
You will have the General Settings page as shown below image,
On this page, you need to enable/disable the “GDPR compliance” checkbox to show a message on your login page.
Step 4:
Next, you should choose whether to be notified when someone has been locked out. You can enter the email to which notifications are sent after lockouts.
By default, you will be notified the third time the user is locked out.
Step 5:
After that, you have to scroll down to the Local App section like the below image,
Here you can enter how many login attempts can be made and choose how long a user will have to wait it they exceed that number of failed attempts. The default value is 20 minutes.
You can also increase the wait time once the user has been locked out a specified number of times. The default settings will not allow the user to attempt to login for 24 hours once they have been locked out 4 times.
Step 6:
After making all settings, don’t forget to click the Save Settings button at the bottom of the Settings screen to stand your changes.
Additional Resource for Website Protection:
Disadvantages of using WordPress Plugins in Your Website
How to Setup OTP Verification with WordPress Plugin?
Tips to Choose Safe WordPress Plugins for Your Website