Everything brought online runs the risk of being hacked. WordPress is not an exception as greater popularity of this platform as compared to others causes WordPress to become a common target for hackers. Don’t wait until your website is hacked that you start to care about security methods. It’s high time to limit login attempts on your site.
In this article, I will show you why and how to limit login attempts to protect your site against brute force attacks.
Why need to limit login attempts?
By default, WordPress does not limit the number of username and password retries. A person can type as many times as he wishes. This setting creates a good condition for brute force attack. The working principle of this hacking method is simple: It will continuously try many different combinations of usernames and passwords to gain unauthorized access to your website until one of them works.
As a result, though changing the “admin” username and generating a strong password are essential, it’s not enough. To effectively slow down, or even stop brute force attack to do the mess with your site, it is recommended that you set the limitation on the number of login attempts from a given IP address. Moreover, this method can also help you identify IP addresses that need to be banned forever from your website.
The way it works is relevant in the name. You will set the maximum number of incorrect username and password inputs from an IP range. If exceeding this limitation, that IP is locked out of your site within a predefined period of time which is based on your settings.
How to set login limitation on site?
Don’t worry. You won’t have to solve it on your own. Login LockDown plugin can handle the job for you.
This plugin keeps the record of the IP address and timestamp of every failed login attempt.
- With Login LockDown, you will set the number of times failed attempts on login page can be made from a given IP range.
- If exceeding the limit, user has to wait for a time period before being able to try again.
- Moreover, if this plugin detects more than a specified number of attempts made within a short period of time from the same IP address, it will disable login function for that IP.
- You can even stop brute force attack quicker by not allowing it to try invalid usernames. Click Yes under Lockout Invalid Usernames.
- The last feature is Mask Login Errors. WordPress makes it the default to notify users whether username or password is incorrect. You can disable this by choosing Yes. In case the username is successfully guessed, brute force attack won’t be able to know that, which means your site is one step safer from the attack.
While you may not be aware, website attack is just around the corner. If the website contains a huge amount of important data, then it’s high time you put WordPress security at top priority. Make it as hard as possible for hackers to gain unauthorized access to your admin panel.
I hope you found this tip helpful and have successfully installed the plugin to your website. No single method can 100% protect your site from hackers. But every small measure you take today does count in the future!
This article is a part of the series introducing Basic security tips for WordPress websites.
- Change WordPress admin username
- Secure site with strong password ideas
- Limit login attempts
- Choose a quality host following web hosting security concerns
- Use the latest version of WordPress
- Use WordPress backup plugins
My Dang,
Editor of EngineThemes
Featured image designed by Freepik.
Hi Team,
Nice advice but this plugin is Last Updated: 2 years ago
Regards,
Momo
It’s a shame that it hasn’t been updated for a long time. Thank you for the notice Momo.
Wordfence Security is the FREE plugin you want. Great WP security and frequently updated:
https://wordpress.org/plugins/wordfence/
Hope this helps…
Thanks for the suggestion. Wordfence is a great security plugin to go with.
Yeah… Wordfence Live traffic can be.a little scary to a newbie. Lots of attempts to login using “admin.” There is an option to lockout an Ip if someone attempts to login as “admin.” I think this is well worth it as this is likely to be the first attempt.