{"id":31984,"date":"2021-11-21T15:00:13","date_gmt":"2021-11-21T14:00:13","guid":{"rendered":"https:\/\/qodeinteractive.com\/magazine\/?p=31984"},"modified":"2022-01-13T11:59:28","modified_gmt":"2022-01-13T10:59:28","slug":"complete-guide-to-handling-too-many-failed-login-attempts-in-wordpress","status":"publish","type":"post","link":"https:\/\/qodeinteractive.com\/magazine\/complete-guide-to-handling-too-many-failed-login-attempts-in-wordpress\/","title":{"rendered":"A Complete Guide to Handling Multiple Failed Login Attempts in WordPress"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]One of the most important things any WordPress website owner or admin has to understand is that small websites can be a target of security attacks just like big websites can. The web is an inherently unsafe place. Not to the point where people are unable to browse it safely, but a couple of slips and lapses of judgment are all it takes to give someone information they can use to take advantage of you or hurt you financially or in other ways.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]But even if you\u2019re doing everything you should as a WordPress website admin, it\u2019s still more than likely that your website will be a target of hacking attacks. Seeing too many failed login attempts is a telltale sign of a type of attack called brute force attack. Then again, it might also be a sign that one of the people who have access to your website\u2019s backend has forgotten their password.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]In this article, we\u2019ll discuss having too many failed login attempts in WordPress from several different angles. The topics we\u2019ll cover include:<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;22px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#what-is-failed-login-attempt\">What\u2019s a Failed Login Attempt?<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#why-do-failed-login-attempts-happen\">Why Do Failed Login Attempts Happen?<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#is-it-a-problem\">Is Having Too Many Failed Login Attempts in WordPress a Problem?<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#handling-too-many-failed-login-attempts\">Handling Too Many Failed Login Attempts<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;80px&#8221;][vc_widget_sidebar sidebar_id=&#8221;new-top-picks-banner&#8221;][vc_empty_space height=&#8221;80px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"what-is-failed-login-attempt\"><\/a>What\u2019s a Failed Login Attempt?<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Whats-a-Failed-Login-Attempt.jpg\" class=\"attachment-full size-full\" alt=\"What\u2019s a Failed Login Attempt\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Whats-a-Failed-Login-Attempt.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Whats-a-Failed-Login-Attempt-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Whats-a-Failed-Login-Attempt-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Whats-a-Failed-Login-Attempt-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]An obvious question with an obvious answer \u2013<strong> a failed login attempt is when someone tries to access your website\u2019s backend using the wrong credentials<\/strong>. Access to WordPress\u2019 backend though the browser is protected by a username and password, and anyone willing to access it needs to know the right combination of these credentials. If they make a mistake, they won\u2019t be given access to the backend, and this constitutes a failed login attempt.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]The less obvious question regarding failed login attempts is how many is too many? If someone tries to log in to your website five times with no success, is it worse if they kept trying a hundred times? <strong>It turns out it is \u2013 the sheer magnitude of these requests to access can be enough to cause your website to slow down and even go offline.<\/strong> So while it\u2019s hard to pinpoint the number that serves as a border between \u201cnot enough\u201d and \u201ctoo many,\u201d it\u2019s very much possible to distinguish between the two.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>Another reason why people might ask what\u2019s a failed login attempt is that they\u2019ve never got a report listing how many failed login attempts there have been on their website.<\/strong> Most <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-security-plugins\/\">WordPress security plugins<\/a> will monitor those. When people install them for the first time, it\u2019s not that an uncommon surprise to see many different login attempts from countries all over the world. But the bottom line here is that <strong>people might not even be aware that failed login attempts are something that\u2019s happening on their WordPress website simply because they haven\u2019t set up monitoring for it.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"why-do-failed-login-attempts-happen\"><\/a>Why Do Failed Login Attempts Happen?<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"553\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Why-Do-Failed-Login-Attempts-Happen.jpg\" class=\"attachment-full size-full\" alt=\"Why Do Failed Login Attempts Happen\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Why-Do-Failed-Login-Attempts-Happen.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Why-Do-Failed-Login-Attempts-Happen-300x171.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Why-Do-Failed-Login-Attempts-Happen-768x438.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Why-Do-Failed-Login-Attempts-Happen-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]Once again, we\u2019ll start with the most obvious and benign answer \u2013<strong> someone forgot their password<\/strong>. The more people with credentials to log into your website, the more likely it is that one day someone will forget them.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Does this mean that you should employ a policy of using easy-to-remember passwords? Of course not. <strong>Passwords need to be long and complicated, as those are the things that make them more secure.<\/strong> But you should be aware that some of these attempts you can see in your report might come from people who genuinely have a reason to access your website.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>The other less innocent but probably more important answer is that a high number of failed login attempts means that someone who had no business accessing your website has tried to do it.<\/strong> It might have been a person, but more likely it was a bot designed to locate a website\u2019s <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-log-in-into-wordpress-site\/\">login page<\/a> and try a couple of combinations of usernames and passwords before the security measures put in place prevent it. These are what are called brute force attacks \u2013 when someone tries to hack your website by going after the right username-password combination running as many permutations as possible.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"is-it-a-problem\"><\/a>Is Having Too Many Failed Login Attempts in WordPress a Problem?<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Is-Having-Too-Many-Failed-Login-Attempts-in-WordPress-a-Problem.jpg\" class=\"attachment-full size-full\" alt=\"Is Having Too Many Failed Login Attempts in WordPress a Problem\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Is-Having-Too-Many-Failed-Login-Attempts-in-WordPress-a-Problem.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Is-Having-Too-Many-Failed-Login-Attempts-in-WordPress-a-Problem-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Is-Having-Too-Many-Failed-Login-Attempts-in-WordPress-a-Problem-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Is-Having-Too-Many-Failed-Login-Attempts-in-WordPress-a-Problem-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]Too many failed login attempts in WordPress can be a serious problem in two ways.<strong> First, you have to understand that when it comes to online security, people are usually the weakest link.<\/strong> They are the ones who can\u2019t be bothered to create secure passwords or the ones who\u2019ll share passwords with coworkers, or the ones who\u2019ll fall for phishing emails.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>In that sense, a team member who is constantly having trouble remembering their password might pose a security risk to your website.<\/strong> They can eventually set a very weak password or use a password they\u2019ve used on multiple other websites, and they might not be too fond of changing passwords regularly. All of these are t recommended practices for good password security.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>On the other hand, if you\u2019re undergoing a brute force attack and it\u2019s slowing down your website, that might pose a problem even if the attack doesn\u2019t crack your password.<\/strong> As we mentioned before, these types of attacks, if vicious enough, can cripple your website\u2019s speed, doing damage even if they don\u2019t meet their primary objective.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"handling-too-many-failed-login-attempts\"><\/a>Handling Too Many Failed Login Attempts<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Handling-Too-Many-Failed-Login-Attempts.jpg\" class=\"attachment-full size-full\" alt=\"Handling Too Many Failed Login Attempts\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Handling-Too-Many-Failed-Login-Attempts.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Handling-Too-Many-Failed-Login-Attempts-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Handling-Too-Many-Failed-Login-Attempts-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Handling-Too-Many-Failed-Login-Attempts-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]The very first thing you want to do is install a piece of software that will inform you of any unsuccessful login attempts. <strong>For the most part, you can get that feature with a security plugin, possibly one that you\u2019re already using.<\/strong> You should always presume that your website has a certain number of failed login attempts every day. Security tools might show you the IP addresses and locations of the origins of the attempts. That way you\u2019ll discern between a forgetful team member and a hacker, bot, or anything else that\u2019s simply trying to crack your website.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">Dealing With Failed Login Attempts from Friendlies<\/h3>\n<p>[\/vc_column_text][vc_column_text]<strong>If someone on your team has a problem with password management, you should press upon them the importance of proper password guarding and usage.<\/strong> If that doesn\u2019t work, you might consider adding a login method to the website. <strong>You can try, for example:<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;22px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>FaceID<\/strong> \u2013 the same technology Apple uses to allow you to unlock an Apple device can be used to gain access to a WordPress website. Only available to people who have an Apple account.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>SMS Authentication<\/strong> \u2013 unless your forgetful team members also tend to forget their phones, sending them a one-time password via SMS to log in to your website might work great.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Fingerprint<\/strong> \u2013 again, this form of logging in will require ownership of a device with a fingerprint scanner. Apart from that, it\u2019s just like using a fingerprint to unlock a phone.<\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Any one of these methods might be an improvement over remembering long, twisted, passwords. If you have trouble implementing them, your best bet would be to increase password management discipline.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">Dealing With Failed Login Attempts from Hostiles<\/h3>\n<p>[\/vc_column_text][vc_column_text]A common way of dealing with too many failed login attempts in WordPress is to <a href=\"https:\/\/qodeinteractive.com\/magazine\/limit-login-attempts-in-wordpress\/\">limit login attempts<\/a> that can come from a single IP. <strong>That way, after a few bad attempts, the person or bot will have its IP address blocked, and they\u2019ll be put on a time-out of your choosing.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>You can limit the login attempts with a plugin, or you can do it by editing the functions.php file.<\/strong> If by any chance, you put yourself on a timeout with this type of plugin, you might have to <a href=\"https:\/\/qodeinteractive.com\/magazine\/disable-plugins-wordpress\/\">disable the plugin while locked out of your website<\/a>. <strong>However, for the very basic type of protection, use a login attempts limiter and implement a strong policy regarding passwords \u2013 especially their strength and safekeeping.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Other methods you could try are pretty much the same ones you\u2019d use to protect yourself from brute force attacks \u2013 as that\u2019s what these types of failed login attempts usually are.<strong> Some of the things you might consider doing include:<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;22px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-two-factor-authentication\/\">Adding two-factor authentication<\/a> \u2013 this will require the user to enter a separate key that\u2019s sent to them on login via text or email.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Adding HTTP authentication<\/strong> \u2013 this is like putting a password on the login page itself so that people can\u2019t try to log in without passing the first round of protections.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Blocking IPs<\/strong> \u2013 if you\u2019re sure the IPs that are behind too many failed login attempts don\u2019t belong to your team member, you can blacklist them using custom code.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Using security plugins<\/strong> \u2013 plugins can take care of many things like blacklisting, password generation, and two-factor authentication for you.<\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;28px&#8221;][vc_column_text]You are strongly advised to give our article about brute force attacks a look \u2013 it contains much detailed information about various methods of protection. Because brute force attacks are a common cause of seeing too many failed login attempts, you\u2019ll see an overlap in possible protection methods.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\">Let\u2019s Wrap It Up!<\/h2>\n<p>[\/vc_column_text][vc_column_text]Failed login attempts are an everyday occurrence when you have a WordPress website &#8211; whether you\u2019re aware of them, or not. Some reasons for failed login attempts might not point to a serious problem. Others can indicate someone is trying to enter your website uninvited. Either ways, it\u2019s always best to keep an eye on the volume of failed login attempts and react accordingly.[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Are you seeing too many failed login attempts to your WordPress website? Don&#8217;t worry &#8211; you can easily figure out what&#8217;s going on and react!<\/p>\n","protected":false},"author":9295,"featured_media":31993,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[34,4,52,13],"class_list":["post-31984","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-resources","tag-security","tag-tips","tag-troubleshooting","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/31984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/users\/9295"}],"replies":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/comments?post=31984"}],"version-history":[{"count":0,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/31984\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media\/31993"}],"wp:attachment":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media?parent=31984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/categories?post=31984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/tags?post=31984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}