A Complete Guide to Handling Multiple Failed Login Attempts in WordPress
One of the most important things any WordPress website owner or admin has to understand is that small websites can be a target of security attacks just like big websites can. The web is an inherently unsafe place. Not to the point where people are unable to browse it safely, but a couple of slips and lapses of judgment are all it takes to give someone information they can use to take advantage of you or hurt you financially or in other ways.
But even if you’re doing everything you should as a WordPress website admin, it’s still more than likely that your website will be a target of hacking attacks. Seeing too many failed login attempts is a telltale sign of a type of attack called brute force attack. Then again, it might also be a sign that one of the people who have access to your website’s backend has forgotten their password.
In this article, we’ll discuss having too many failed login attempts in WordPress from several different angles. The topics we’ll cover include:
An obvious question with an obvious answer – a failed login attempt is when someone tries to access your website’s backend using the wrong credentials. Access to WordPress’ backend though the browser is protected by a username and password, and anyone willing to access it needs to know the right combination of these credentials. If they make a mistake, they won’t be given access to the backend, and this constitutes a failed login attempt.
The less obvious question regarding failed login attempts is how many is too many? If someone tries to log in to your website five times with no success, is it worse if they kept trying a hundred times? It turns out it is – the sheer magnitude of these requests to access can be enough to cause your website to slow down and even go offline. So while it’s hard to pinpoint the number that serves as a border between “not enough” and “too many,” it’s very much possible to distinguish between the two.
Another reason why people might ask what’s a failed login attempt is that they’ve never got a report listing how many failed login attempts there have been on their website. Most WordPress security plugins will monitor those. When people install them for the first time, it’s not that an uncommon surprise to see many different login attempts from countries all over the world. But the bottom line here is that people might not even be aware that failed login attempts are something that’s happening on their WordPress website simply because they haven’t set up monitoring for it.
Once again, we’ll start with the most obvious and benign answer – someone forgot their password. The more people with credentials to log into your website, the more likely it is that one day someone will forget them.
Does this mean that you should employ a policy of using easy-to-remember passwords? Of course not. Passwords need to be long and complicated, as those are the things that make them more secure. But you should be aware that some of these attempts you can see in your report might come from people who genuinely have a reason to access your website.
The other less innocent but probably more important answer is that a high number of failed login attempts means that someone who had no business accessing your website has tried to do it. It might have been a person, but more likely it was a bot designed to locate a website’s login page and try a couple of combinations of usernames and passwords before the security measures put in place prevent it. These are what are called brute force attacks – when someone tries to hack your website by going after the right username-password combination running as many permutations as possible.
Too many failed login attempts in WordPress can be a serious problem in two ways. First, you have to understand that when it comes to online security, people are usually the weakest link. They are the ones who can’t be bothered to create secure passwords or the ones who’ll share passwords with coworkers, or the ones who’ll fall for phishing emails.
In that sense, a team member who is constantly having trouble remembering their password might pose a security risk to your website. They can eventually set a very weak password or use a password they’ve used on multiple other websites, and they might not be too fond of changing passwords regularly. All of these are t recommended practices for good password security.
On the other hand, if you’re undergoing a brute force attack and it’s slowing down your website, that might pose a problem even if the attack doesn’t crack your password. As we mentioned before, these types of attacks, if vicious enough, can cripple your website’s speed, doing damage even if they don’t meet their primary objective.
The very first thing you want to do is install a piece of software that will inform you of any unsuccessful login attempts. For the most part, you can get that feature with a security plugin, possibly one that you’re already using. You should always presume that your website has a certain number of failed login attempts every day. Security tools might show you the IP addresses and locations of the origins of the attempts. That way you’ll discern between a forgetful team member and a hacker, bot, or anything else that’s simply trying to crack your website.
Dealing With Failed Login Attempts from Friendlies
If someone on your team has a problem with password management, you should press upon them the importance of proper password guarding and usage. If that doesn’t work, you might consider adding a login method to the website. You can try, for example:
FaceID – the same technology Apple uses to allow you to unlock an Apple device can be used to gain access to a WordPress website. Only available to people who have an Apple account.
SMS Authentication – unless your forgetful team members also tend to forget their phones, sending them a one-time password via SMS to log in to your website might work great.
Fingerprint – again, this form of logging in will require ownership of a device with a fingerprint scanner. Apart from that, it’s just like using a fingerprint to unlock a phone.
Any one of these methods might be an improvement over remembering long, twisted, passwords. If you have trouble implementing them, your best bet would be to increase password management discipline.
Dealing With Failed Login Attempts from Hostiles
A common way of dealing with too many failed login attempts in WordPress is to limit login attempts that can come from a single IP. That way, after a few bad attempts, the person or bot will have its IP address blocked, and they’ll be put on a time-out of your choosing.
You can limit the login attempts with a plugin, or you can do it by editing the functions.php file. If by any chance, you put yourself on a timeout with this type of plugin, you might have to disable the plugin while locked out of your website. However, for the very basic type of protection, use a login attempts limiter and implement a strong policy regarding passwords – especially their strength and safekeeping.
Other methods you could try are pretty much the same ones you’d use to protect yourself from brute force attacks – as that’s what these types of failed login attempts usually are. Some of the things you might consider doing include:
Adding two-factor authentication – this will require the user to enter a separate key that’s sent to them on login via text or email.
Adding HTTP authentication – this is like putting a password on the login page itself so that people can’t try to log in without passing the first round of protections.
Blocking IPs – if you’re sure the IPs that are behind too many failed login attempts don’t belong to your team member, you can blacklist them using custom code.
Using security plugins – plugins can take care of many things like blacklisting, password generation, and two-factor authentication for you.
You are strongly advised to give our article about brute force attacks a look – it contains much detailed information about various methods of protection. Because brute force attacks are a common cause of seeing too many failed login attempts, you’ll see an overlap in possible protection methods.
Let’s Wrap It Up!
Failed login attempts are an everyday occurrence when you have a WordPress website – whether you’re aware of them, or not. Some reasons for failed login attempts might not point to a serious problem. Others can indicate someone is trying to enter your website uninvited. Either ways, it’s always best to keep an eye on the volume of failed login attempts and react accordingly.