Why You Should Limit Login Attempts in WordPress

As the research shows, more than 70 percent of popular WordPress websites are prone to hacker attacks. It sounds like bad news, but it isn’t as scary as it may seem. You can follow plenty of good practices to ensure your site stays in those safe 30 percent. And one of the first things you should do is limit login attempts in WordPress. Today, we’ll talk about why and how you should do it.

There are all kinds of threats lurking on the web, and as a site owner, you’ve got to be careful and protect your domain. Luckily for you, at WP Full Care, we know a thing or two about the website safety, and we’re willing to share our knowledge with you. So, here’s what you should know.

You've been hacked written on a laptop screen.
If you don’t want to be hacked, you need to limit login attempts in WordPress.

Why You Should Limit Login Attempts in WordPress

One of the ways for hackers to gain access to your site is called a brute force attack. It’s not a complex or brilliant way to do it, but it can work.

In essence, it’s a trial and error method. Hacker will set up a script to guess your login username and password. The software they use is loaded with all the possible words and phrases you can imagine, and it will try all the different combinations of them until it gets it.

Of course, attackers can do anything they want once they’re in. They can make the changes to your pages and then change your login so you can’t access it. Then, they’ll contact the site owner and ask them to pay the price to get their site back.

By default, WordPress allows its users to enter their credentials as many times as they want. It’s not necessarily a bad thing, but hackers have found a way to exploit it.

It’s a good thing then that you can prevent brute force attacks simply by limiting the number of logins attempts per user. For example, you set the limit to five shots, and if a user enters the wrong credential five times, they’ll be temporarily locked out.

However, it’s not uncommon for some people to find themselves locked out of their WordPress admin. They forget the password, try to guess it too many times, and just like that, they’re out of guesses. If it happens to you, there’s no reason to worry. You can get back in, but you’ll have to work a bit more to do it.

Now that you know why you might want to limit login attempts in WordPress let’s talk about how you can do it.

Log in screen.
Limiting the number of logins attempts per user is the best way to protect your website from brute force attacks.

How to Limit Login Attempts in WordPress

To protect your website from brute force attacks, you want to install the Limit Login Attempts Reloaded plugin. It’s a simple plugin, and you install it like any other on your site. The free version will do you well, so there’s no need to go for the paid ones.

Once you activate it, you’ll need to set it up. Keep in mind that default settings are completely fine, and they’ll work well for most sites. On the other hand, if you want to change them up, here’s how you do it. We’ll guide you through the whole process step by step.

Setup Process

First off, go to your Settings on the WP dashboard, click on the Limit Login Attempts page, and click on the Settings tab there.

To ensure your site is compliant with the European Union’s laws, click the GDPR compliance checkbox. It won’t do anything but show the message on the login page to let people know how many attempts they’ve got until they’re locked out.

Next up, you get to choose if you want to get notified when someone’s locked out or not. If you do, set the correct email address, and you’ll get a message when a user gets locked out for the third time.

And now we’re getting to the fun part. Scroll down to the Local App section, and pick how many times a user can attempt to log in and how long they need to wait if they get locked out. You’ll see that by default, there’s a 20-minute wait between the lockouts, and once the circle has gone four times around, the time increases to 24 hours. Set it up however you like, but be careful not to push it too far if your employees get the password wrong often.

There’s also a setting called Trusted IP Origins, and we advise you not to change it for security reasons.

Once you’re done, click the Save Settings button, and you’re all set. Now brute force attacks won’t work on your site, and you’re much closer to that safe 30 percent of websites.

Woman trying to limit login attempts in WordPress on her laptop.
The setup is easy, and you can get it over within no time.

Pro Security Tips

Limiting login attempts is an essential step on the way to a completely secure website, but there’s more you can do. Let’s go over a few more tips to improve your website security.

Your password is the gate to your site, and you want it to be strong. But, what is a strong password? Right away, you want to forget using your birthday, your pet’s name, or anything similar you thought it’s a good idea. For it to be strong, it must consist of:

  • A mix of upper and lower case letters
  • Numbers
  • Special characters

On top of that, change the default username from admin to something more substantial. Be creative — it can be anything you want, just don’t leave it as is.

Next up, you’ll want to allow for 2-factor authentication. With it, even if the hacker manages to guess your password with the limited amount of tries they have, they won’t be able to get it without confirmation.

Finally, do a regular malware scan and update WordPress as soon as the update comes out. Uninstall the themes and plugins you don’t use, and you’ll have nothing to worry about.

If you limit login attempts in WordPress and follow all the security tips we gave you, your site will be as safe as it can be.

Newsletter