How to Limit Login Attempts in WordPress (And Why)
Let’s agree right from the start that no one likes to use long and complicated passwords. The more characters you add to it — the more you make it secure — the higher the chances that you’ll make a mistake when you’re trying to log in to apps, service accounts, and — your WordPress website. Still, you go through all of it because security matters.
For someone who’s determined to keep their website as secure as possible with long and complicated passwords, limiting the number of login attempts in WordPress might seem like the last thing you’d want to do. But as we said before, security matters, and forcing a timeout between a set number of login attempts is a valid security measure.
In this article, we’ll show you:
Most website owners and administrators are aware that they are not the only people who’ll log into their website. Everyone from content creators to search engine optimization specialists will require access to your website’s backend. But even though you might make their workdays a tiny bit more difficult on the days when they have trouble remembering their login details, they’re not the people you’re setting up a login limitation for on your website.
The people against whom you’re protecting your website with login attempt limitation are hackers with their bots and scripts. Among the many techniques, tools, and attack vectors they can employ to damage your website, take advantage of it for their gains, or simply mess with you, hackers can try something called a brute force attack to gain access to your website’s backend.
When using a brute force attack to try to access your website’s backend, a hacker will effectively try combinations of letters, numerals, and characters until they’ve found one that gets them access to the website. They usually won’t do the hacking on their own — they’ll use scripts to try tens of thousands of passwords every second until they find one. That means that, depending on how strong the password you use is, they can take anywhere from seconds to years to crack your password.
Forcing the hacker to take a break every couple of attempts doesn’t make your website impenetrable, but it makes hacking it more time-consuming. When trying to crack the password becomes impractical — too costly in terms of time and resources — the hacker is likely to move on to the next target. If they have it in for you, they’ll try a different type of attack. Either way, they’re unlikely to continue trying to brute force their way in.
The easiest way to limit login attempts in WordPress is by using a plugin. The Limit Login Attempts Reloaded plugin is a great choice for a couple of reasons — it’s free, it has lots of active installations, and the people who use it mostly have nothing bad to say about it. You can install it on top of other security plugins you already use if they don’t have a login attempts limiter feature.
After you’ve installed and activated the plugin, you can go to Settings > Limit Login Attempts to set up the plugin. The very first set of options you access is under the Dashboard tab. There, you’ll be able to access some lockout statistics, but more importantly, you’ll be able to blacklist and whitelist certain IPs and usernames.
In the Settings tab, you’ll be able to choose whether you need the plugin to be GDPR compliant and whether you want to be notified by email when lockouts occur.
The Worker settings are where you can set up the number of allowed retries, how long you want the lockout to last, and how long you want to wait before the retries are reset.
The final tab contains debug code you should send to the plugin maker’s support if something goes wrong with it.
After you’ve adjusted all the settings and saved them, the plugin will start doing its job. When someone tries to log in using a wrong password or user name, they’ll be notified of the number of attempts they have left.
If they don’t manage to provide a valid username and password in the attempts they have left, they’ll be prevented from trying again for a period you’ve set.
Limiting login attempts shouldn’t be the only measure you take to secure your website. Putting safety first is something you should do when choosing a web host. It’s the reason why it’s usually better to go for that premium WordPress theme than downloading who-knows-what and using it to customize your website. And only then you should start thinking about plugins that might help you secure your website.
A lot of it is up to you, too. For example, knowing how to create, store, and use passwords is almost as necessary as knowing how to turn your computer or smartphone on — you shouldn’t be able to do anything online without having that knowledge.
Here are some of the very basics of password security:
Your password should be as long as possible. The longer the better, really, as more characters make it more time consuming to break.
Use a random combination of letters, characters, numerals, and cases. Avoid using words as they’re susceptible to dictionary attacks.
Don’t tell your password to anyone. People are often the weakest link in a security system. The fewer people know a password, the more secure it is.
Try to change them reasonably frequently. You don’t need a new password every day. A couple of times a year would work great.
Use a good password manager. A good password manager can help you with everything from generating super-strong passwords to changing them regularly.
After you’ve done all of this, you should expect your password to be reasonably well-protected against the bulk of possible threats. All that’s left to do is keep an eye out for new threats, and then take measures against them.
Let’s Wrap It Up
It’s never a good idea to just let anyone roam around your website’s backend. That’s what we have passwords for — to help us control access to the critical parts of our websites.
But the very fact that passwords exist won’t stop bad actors from trying to gain access to your website for their own, often nefarious, reasons. That’s why you need to help your passwords do their job. You can make them strong, varied, and change them often. But you can also put a limit to login attempts in your WordPress website and send a clear message to anyone trying to brute force your website.