How to Implement WordPress Limit Login Attempts [3 Easy Steps]

WordPress suffers more attacks than all major CMS combined. Thus, neglecting WordPress security in 2024 is simply not an option.

Securing your WordPress starts with securing your login page. Cyberattacks like brute force can easily be performed on your WordPress login page.

In this article, we will learn how to protect your website login page by implementing WordPress to limit login attempts, which can easily prevent one of the most common types of cyberattacks: brute force.

But before that, let’s briefly examine brute-force attacks and how securing your login page can help you prevent them. 

Brute Force Attacks: What Are They?

80% of breaches caused by hacking involve brute force or lost/stolen credentials.

Brute force attacks are more common than you think. Considering the fact that WordPress gets over 90,000 cyberattacks every minute, your website may be the next victim.

A brute force attack occurs when hackers use trial and error to crack passwords, login credentials, or encryption keys. These kinds of attacks usually impact users who use weak and easy-to-guess passwords.

For instance, passwords like password123, 123456, qwerty, etc., are super easy to guess. Thus, they can easily be cracked using different password combinations.

Brute force attacks may also use credentials stolen from previous data breaches. In that case, a hacker can easily access accounts that use the same credentials for multiple accounts.

How Limiting Login Attempts Can Help?

As we discussed, brute-force attacks use multiple combinations of passwords to crack the correct one. However, if you are not using a super-easy password, that requires hundreds of thousands of attempts.

By limiting login attempts, you restrict one IP from using multiple password attempts. For instance, you can limit an IP to three incorrect login attempts; the IP will be temporarily blocked afterward.

Hence, limiting login attempts can help prevent bot logins and brute-force attacks.

How to Limit Login Attempts in WordPress: 03 Steps

Now that you understand the essence of limiting login attempts. Let’s configure the WordPress limit login attempt feature together using a complete login page security plugin called “All in One Login.”

It is a freemium, lightweight plugin that offers multiple options for login page security. 

Step #1: Install and Activate the All-In-One Login Plugin

First and foremost, let’s install the plugin.

Go to your WordPress dashboard and navigate to Plugins.

Now select Add New Plugin from the top.

Using the search plugin bar, type AlO Login—abbreviated for All-in-One login.

Install the plugin using the ‘Install Now’ button.

The plugin is installed on your WordPress. Now press the activate button that replaces the Install Now button post installation.

Alternatively, you can activate the plugin from the Plugins tab.

Step #2: Configure the Limit Login Attempt for WordPress 

Now that the plugin is installed and activated, it is time to enable and set up WordPress limit login attempts.

Go to the plugin settings from the left-hand side navigation bar.

You will be prompted with a pop-up like this.

Press “Allow & Continue” to help the plugin understand your site better in order to perform better. 

⚠️ This will also allow the plugin to send you email notifications for security and feature updates, educational updates, and occasionally amazing offers you can’t miss!

After allowing it, you will be able to go inside the plugin’s settings.

Now, Navigate to the “Login Protection” tab.

Switch to Limit Login Attempts sub-tab.

First of all, switch the enable button.

Now, go to the second input box and change the Maximum Attempts to the number of attempts you want the user to have before being temporarily locked out. We suggest keeping it 3-5. If left blank, the value will be set to 5.

Now, fill out the timeout box. It is the amount of time—in minutes—you want the user to be blocked out after a set of incorrect attempts.

The third option on the list is the Lockout Message. 

This is simply the message or a notice that the temporarily blocked user will see on the screen after a set of incorrect attempts.

Step #3: Save Changes

Considering the above scenario, if maximum attempts are set to three and timeout minute is five, the user is going to be locked out after three unsuccessful login attempts for five minutes. They will be shown the message “You have been blocked due to too many unsuccessful login attempts. Please try again in—remaining time—minutes.”

Double-check the settings, and if the settings are exactly how you want, go and save changes using the Save Changes button.

⚠️ In case you locked yourself out, you can turn off limit login attempts in WordPress by accessing the backend of your website using Admin panel. Alternatively, disable limit login attempts by deleting the plugin using FTP or the cPanel File Manager. You can reinstall the plugin when you regain access to your WordPress.

Congratulations! You just configured the WordPress Limit Login Attempts feature. Your site is now secured from brute-force attacks.

But wait! There’s more!

Cybersecurity is no joke. Thus, you should also employ all other necessary changes to protect your WordPress the best way you can. Thankfully, we have other security features in the complete security plugin as well.

Other Useful AIO Login Features For Login Page Security

Here’s what else you should do to protect your WordPress in the best way possible. For detailed instructions about the plugin and its features, check out this guide.

Two-Factor Authentication

You can enhance your website protection by adding another layer of security before your login screen. Two-factor authentication (2FA) enables another authentication factor to validate the login attempt, usually through the admin’s mobile phone or Gmail. 

2FA also protects you in case your password is stolen or hacked.

You can enable this using the 2FA options tab in the Security tab. Just enabling the button will make a scannable QR pop that you have to scan using your phone. The code will lead you to an OTP. Add the one-time password to the input box, and there you go!

Remember, 2FA is not an alternative to limit login attempts. It’s best to use both for enhanced protection.

Change Login URL

WordPress default login URL is very vulnerable. Anyone can access it using www.yourdomain.com/wp-login.php or wp-admin in front of your domain. As we discussed, brute-force attacks can be effortlessly performed on a login page. Hence, changing your default login URL can tremendously help make it more secure.

You can do that from the Login Protection Tab >> Change Login URL

Enable the button and enter your new Login URL in the input box.

Don’t forget to Save Changes. Now you have a confidential login URL that no one can access except you!

Final Remarks on WordPress Limit Login Attempts

Your WordPress login page is the gateway for hackers trying to break into your website using brute-force attacks. Therefore, securing your login page with the WordPress limit login attempts feature using the All-in-One Login plugin is essential.

Remember, 5% of all data breaches happen because of brute force attacks. Therefore, protecting your WordPress from brute-force attacks is extremely simple.

Adding multiple layers of security to your WordPress login page should be enough to prevent login page vulnerabilities.

Moreover, educate your fellow administrators or editors on your WordPress to use best practices to secure your Admin URL from brute force and other common cyberattacks.

Frequently Asked Questions