How to Limit Login Attempts on Your WordPress Site

If you’ve ever experienced receiving the wrong password message (error) in your WordPress Dashboard, you will notice that WP allows you to try and try again (until you get it right). Yes, that’s the default setting of WordPress – as far as logins are concerned. However, while this might be convenient for you, it’s also convenient for hackers. Most of the top website builders (like Wix, Squarespace, and others) have their own system of dealing with too many login attempts, but with WordPress, you’re stuck with unlimited attempts unless you do something about it.

WordPress login screen


Importance of Limiting Login Attempts in WordPress

If you don’t limit the number of login attempts in your WordPress, hackers will find it easy to get inside your WP Dashboard and cause damage to your website. You see, hackers will take advantage of this poor security system and make a combination of usernames and passwords to break into your WordPress Admin area. Of course, this means taking over your site.

One of the easiest solutions to this dilemma (even beginners can do this) is to limit the number of login attempts in your WordPress. For example, you can limit the number of failed attempts to 5 – after which, said user will be unable to make another try. And so, the person (or computer) trying to break into your WordPress will be locked out. This system works by blocking the user’s IP address for a specific time, according to your setup (it can be in minutes or days).

Limiting WordPress Login Attempts by Using a Plugin

You guessed it right, there’s a plugin that can help you secure your site from unauthorized login attempts. Here are the steps to doing this:

  1. Go to the Plugins section of your WordPress Dashboard and select Add Plugin.
  2. Search for Login Lockdown plugin. You can also check out similar results.
  3. Install and activate the plugin.
  4. Now, go back your Admin area and hover your mouse over the Setting Section.
  5. Configure the Login Lockdown plugin according to your preference. See the example below.
  • Number of failed login attempts – As your first level of defense, you can limit this to 3 tries.
  • Retry time period restriction (in minutes) – With this option, a particular user will be unable to make another login attempt until the designated time passes. You can program this field to 5 to 10 minutes or more.
  • How long a particular IP address will be locked out – Again, this will depend on you. You can choose 60 minutes, and this time will have to pass after a lockdown (before a user can try again).
  • Lockout invalid username – A slight slip of the fingers can result in an incorrect username. Therefore, the default setting in WordPress is “no” when it comes to this particular setting. However, if you want your WordPress security system to respond to incorrect usernames, simply check the “yes” option.
  • Mask login – By default, WordPress will tell the user if it’s a case of an invalid username or invalid password. If you don’t want your WordPress to display such information, just click on the YES option. This way, the user attempting to log into your site won’t know which one to correct.

Note: After finishing with the configuration settings, click on the update button to save the changes.

Important Tips

  1. Use strong passwords – Sometimes, it can be annoying (and time-consuming) to think of a password that’s hard to guess. However, we suggest spending some time on this as it’s important to your site’s safety. Don’t forget to use a combination of upper cases, lower cases, numbers, and symbols, ok?
  2. Use backup plugins – This is another level of security that you can add to your website. Backing up your website content will soften the blow if hackers ruin your site.
  3. Employ more security measures for business sites – Needless to say, business websites are more prone to attacks. For an additional level of protection, you can add a firewall feature to your security system. Try these:
  • Sucuri – This Company is a web security provider. They give online services to clients so as to protect their websites. This type of security platform includes the use of firewall, among other things. Having a firewall will block suspicious sites and files from causing damage to your website.
  • CloudFlare – Like Sucuri, this Company also offers web security. And like Sucuri, their services also include website repair if your site is hacked or damaged by third-party accounts.
  • Sucuri Security Plugin – Installing this free plugin will guard your site from security threats.

Should You Limit Login Attempts to Your WordPress Site?

We strongly suggest limiting the login attempts in your WordPress Dashboard as an unauthorized login can indeed cause a lot of problems. The more security you have and the more careful you are, the less prone your site will be to online attacks.

Leave a Comment

Scroll to Top