Limit Login Attempts on Your WordPress Site

Limit Login Attempts

In a basic scenario where your WordPress login password is as simple as “password1” and a bot is making attempts to guess your password, it would probably take less than 2 billion attempts to get it right, which would take only a couple of seconds, depending on your server. One of the best ways to combat this is to simply lock out users who have guessed their passwords incorrectly too many times. Limit login attempts on your site through the use of simple plugins.


You can implement this feature through plugins like Login LockDown or WP Limit Login Attempts.

With either plugin, you can control how many times someone is able to incorrectly guess your password until they get locked out for a specified period of time.

Limit Login Attempts Tips

Don’t lock yourself out.

Make sure you allow an adequate number of tries so you don’t end up locking out legitimate users like yourself. You should set the number of allowed attempts before lockout to five and at least three.

What to do if you lock yourself out.

If you’ve been locked out of your own website, access your WordPress website files via FTP and locate the plugin’s folder. Then rename the folder to something else. You can add a random word to the end of the name like “disabled” and that will disable to plugin, allowing you to log back in.

Set the lockout period for days, not hours.

When an unauthorized person is trying to access your WordPress admin or when you’re under a brute force attack, it won’t help if your lockout period is set to a couple of hours. Instead, you should set it to be a couple of days (three to seven days).

You won’t have to worry about locking out other people who may have access to your WordPress admin like your employees because if they lock themselves out, you’ll be able to restore access to select IP ranges on the blocked list through the plugins’ settings.

These plugins might not work if…

If your website is with a host that is behind a firewall, then there’s a chance that all of the visits to your site might appear to be from the same IP address. In this case, you shouldn’t be using a plugin that limits login attempts, as there is a good chance that you’ll find yourself unable to access your WordPress admin shortly after you install it.

Compatibility with Membership Sites

One very important thing to note is that if you’re running a membership site with your WordPress installation, this plugin/feature will affect your users too. This means that if you set the lockout time to something extreme such as an entire week, any user who may have forgotten his password won’t be able to attempt to login for that period of time.

This will obviously be a big problem for your website so be sure to consider your users when determining your settings and have a system in place where you can respond to locked out users in a reasonable amount of time to restore their access.

On the other hand, this shouldn’t deter you from using this feature because it could also be beneficial for your members. Your members’ accounts may also come under attack for a variety of reasons and you’ll want to limit login attempts in any such situation.

Want to read more articles like this one? See 25 Ways to Improve WordPress Security

Sign Up for New Content