6 Methods To Stop Failed Login Attempts in WordPress


Have you noticed too many failed login attempts on your WordPress site, and are concerned about login security? Maybe you have an activity log that shows you that somebody is logging in with unfamiliar credentials. Maybe, it’s a username like admin, even though that’s not the username of your admin account. If you are getting too many failed login attempts emails, in all likelihood, your site is under a brute-force attack. 

Block brute-force bots from attacking your site by installing a powerful WordPress firewall. 

Multiple failed login attempts and their accompanying notifications may be an annoyance, but they do signal that your site is under attack. In this article, we’ll help you understand brute-force attacks and show you how to fight them. 

TL;DR: Failed login attempts on your WordPress site mean that a hacker is trying to get unauthorized access to your site. The best way to defend your site is to use MalCare, a security plugin that limits login attempts and offers firewall protection.

Why are you getting so many failed login attempts on WordPress?

Failed login attempts on WordPress could simply be genuine users who have forgotten their credentials and are trying different combinations to regain access to their accounts. 

However, when there are too many failed login attempts within a short timeframe, it often indicates a more ominous threat: brute-force attacks. Brute-force attacks are a type of cyberattack where hackers systematically attempt various combinations of usernames and passwords until they discover a valid login combination. 

These attackers are relentless and can leverage automated bots to execute thousands of login attempts in a short period. The primary objective is to gain unauthorized access to an account or system. They can then make changes to your site or change the user privileges to gain more access to data. 

⚠️ Multiple failed login attempts in WordPress are an indicator of an attack. Immediate action needs to be taken to protect your WordPress site.  

1. Limit login attempts

In the face of failed login attempts in WordPress, time is of the essence. The first line of defense is to limit login attempts and lock out hackers. With MalCare, you can limit your logins in minutes, with no technical know-how. 

  1. Create an account: Start by registering for a MalCare account using your email address and a chosen password.
  2. Add your website: After creating your account, enter your website’s URL in the popup.
  3. Provide admin credentials: Follow the prompts to input your website’s admin credentials as requested by MalCare.
  4. Sync your site: Complete the setup by syncing your website with MalCare. This action enables MalCare to activate the limit login feature automatically.

MalCare login protection

Another reason why we recommend using MalCare is because it allows you to monitor the login attempts (and more) to make sure that the preventive measures you’re taking are working. You can also identify changes made by hackers, if they have gained access to your site, like making new accounts or deleting security plugins. 

MalCare activity log

Other security plugins

Wordfence is a popular recommendation for limiting logins and was one of the best WordPress security plugins that we tested. However, we’ve noticed that Wordfence is notorious for locking genuine users out. It doesn’t take into account the nuances that separate a hacker from a user who’s forgotten their password. If there are repeated failed login attempts from a particular IP or user account, Wordfence swiftly blocks access to foil any brute-force attacks.

With Wordfence, you will have to whitelist the IPs that are used by tea members. In contrast, MalCare solves that issue. If a genuine user is locked out with the limit login feature, they simply need to pass a CAPTCHA test to regain access to the login page. You don’t even have to whitelist IP addresses, even though it is a feature offered by MalCare.

2. Install a firewall with bot protection

Installing a strong firewall with bot protection is a surefire way to stop failed login attempts in WordPress. We recommend MalCare and if you already installed the plugin in the previous step,  the firewall is installed automatically and will stop the brute-force bots that are trying to break into your site.

Additionally, the firewall can identify and blacklist IP addresses that repeatedly failed login attempts. This is an additional step against preventing successful attacks. 

3. Enforce good password policies

Password security is a crucial defense against brute force attacks that rely on guessing or cracking passwords to gain unauthorized access. Strong, secure passwords act as a robust barrier, making it extremely difficult for attackers to succeed. 

  • Strong passwords are complex and challenging to guess. They typically consist of a mix of uppercase and lowercase letters, numbers, and special characters, creating a vast number of possible combinations.
  • Secure passwords are unpredictable and do not follow easily discernible patterns or common words. This makes them resistant to dictionary attacks.
  • Longer passwords provide greater security because they increase the time and effort required for a brute-force attack to succeed.

4. Add two-factor authentication 

Two-factor authentication (2FA) is the next defense against too many failed login attempts in WordPress. So, even if an attacker manages to guess or crack a user’s password, they still can’t gain access to the account without the second authentication factor, which is typically something the user possesses, like a smartphone or hardware token. 

two factor authentication code

We’ve tested the top free WordPress 2FA plugins and WP-2FA is the best in our opinion. 

  1. Install an authenticator app: Start by installing an authenticator app like Google Authenticator on your phone. Sign in or create an account on the app.
  2. Install the WP-2FA plugin: In your WordPress dashboard, click Plugins in the sidebar and click Add New. Search for WP 2FA and install the plugin. Once installed, activate it and follow the setup wizard. Choose your preferred 2FA method and backup codes, select users who need 2FA, and configure it.
  3. Validate your phone: Scan the QR code displayed using your authenticator app. Then, click I’m Ready. Check your app for a code and enter it on your WordPress dashboard. That’s it—you’re all set!

5. Disable XML-RPC

XML-RPC allows communication between different systems over the internet and is often used for remote blogging. However, XML-RPC has been a common target for brute-force attacks. Malicious actors might attempt to gain unauthorized access by repeatedly trying different username and password combinations through XML-RPC requests.

Disabling XML-RPC can be another great way to stop these attacks. The easiest way to do so is to use the Disable XML-RPC plugin.

disable xmlrpc plugin

Here’s how you use the plugin: 

  1. Click on the Plugins option on your WordPress admin dashboard and then click on Add New.
  2. Search for Disable XML RPC by Philip Erb using the search box on the top right.
  3. Install it and then activate it to enable the plugin on your site.

Our recommendation is to use MalCare to monitor your site. It offers two types of logs: 

  1. Firewall logs: These are records of incoming and outgoing network traffic that can be immensely valuable for security monitoring. They provide detailed reports to help you assess potential threats and take action. These logs also enable blacklisting or whitelisting specific IP addresses as needed, allowing you to control access and respond to security incidents more effectively.
  2. Activity log: It is like a detailed diary for your website, recording every action and event. It serves as a watchful guardian, monitoring for suspicious user activity, tracking changes, aiding in troubleshooting, ensuring compliance, and even holding users accountable.

6. Use reCAPTCHA

Introducing obstacles that bots can’t overcome is a great way to stop brute-force bots. One such widely used solution is reCAPTCHA. It challenges users to confirm their human identity through tasks such as puzzle-solving to ensure the login attempts are valid.

reCAPTCHA on WordPress login page

Several themes or form plugins like WPForms are compatible with Google reCAPTCHA. But, if you’d like to try it, here is how you do it: 

  1. Create a Google reCAPTCHA account: Begin by creating a Google reCAPTCHA account and provide your site details, including the reCAPTCHA type and domain.
  2. Install a form plugin like WPForms:  On your wp-admin panel, look for Contact Forms by WPForms in the search bar. Then, click on Install and Activate. 
  3. Add the secret key and site key: WPForms has a detailed tutorial on how to find the secret keys and site key. They’re essentially a string of letters or numbers that allow Google to track your traffic and understand it. It’s also a way for WPForms to integrate reCAPTCHA on your site. 
  4. Add it to a new login form: Once you’re done, create a new form using WPForms. Click WPForms in the sidebar and click Add New. You can then customize an existing template or design one from scratch. 
  5. Add reCAPTCHA to the form: In the widget library on the left, you will also find CAPTCHA. You can add it to the new form. 
  6. Replace the default URL with this new one: As we mentioned earlier, we don’t recommend creating a new login form. But, now that you have, hide the existing one and change the default URL. 

Another consideration when implementing reCAPTCHA on your login page is the existence of lesser-known automated tools that can easily bypass them. Moreover, this additional step in the login process may not provide the optimal user experience for your users.

What are the effects of multiple failed login attempts?

Failed login attempts can lead to significant consequences for your website’s security. If your site gets hacked due to a brute-force attack, it becomes vulnerable to various threats. Sensitive customer data can be stolen or website content can be destroyed. Additionally, cleaning a hacked site can be a hassle with a lot of lost resources.

On the other hand, even if your site doesn’t get hacked, numerous alerts in your email or activity log resulting from these failed login attempts can be frustrating and scary. The relentless login attempts can also strain server resources, leading to slower website performance. This in turn may ruin user experience.

ERROR: too many failed login attempts. Please try again. How to fix it?

We’ve talked about how to stop too many failed login attempts in WordPress. But, what do you do if a genuine user gets flagged by a security plugin and is locked out? This isn’t a problem with MalCare because all you need to do is pass a reCAPTCHA test to log back in. But, a lot of website owners have complained about security plugins like Wordfence blocking users. Wordfence, for example, has block screen instructions that you can follow. But, if all else fails, you will need to deactivate the plugin via FTP using the following steps:

  • Connect to your website: Click on “Open Connection” or the equivalent option in Cyberduck. Fill in the FTP server details, including the username, password, and public IP. These credentials can be found on your hosting site. Then, click on Connect.
  • Navigate to the plugins directory: Upon connecting, you’ll see your website’s files n folders. Locate the wp-content folder, which is likely to be in the public_html folder or your root folder.  Then, open it, and find the plugins folder. 
  • Deactivate the plugin: Inside the plugins folder, you’ll see a list of installed plugins. Find the folder for the plugin you want to deactivate. Right-click on the plugin folder, and from the context menu, choose Rename. You can simply add “-disabled” to the folder name, effectively deactivating the plugin.
  • Check your website: Once you’ve renamed the plugin folder, the plugin will be deactivated. To confirm, visit your WordPress website, and the plugin’s functionality should no longer be active.
  • Change your password: You should now be able to change your password on the dashboard. Go to the Users tab in the sidebar. Click Profile and set a new password at the bottom of the page.

Revert changes (if necessary): If you decide to reactivate the plugin later, you can return to Cyberduck and remove “-disabled” from the plugin folder’s name to enable it again.

Final thoughts

When faced with too many failed login attempts in WordPress, there is a pressing need to defend your site from brute-force attacks. MalCare emerges as the ultimate solution to do so. With seamless integration, you can limit failed login attempts, install a robust firewall with bot protection, and monitor your site with comprehensive activity and firewall logs. That covers all your bases. Moreover, you can install MalCare in just a few minutes, making it the best solution for failed login attempts. 


Why am I getting failed login attempts in WordPress?

Failed login attempts can occur for various reasons. They might be the result of genuine users forgetting their credentials, but they can also signal potential security threats such as brute-force attacks, where malicious actors repeatedly try to guess the username and password combinations to gain unauthorized access to your WordPress site.

Does WordPress limit login attempts?

WordPress does not limit login attempts by default. We recommend you use MalCare because it instantly limits logins and . All you need to do is install it. 

How do I stop WordPress login attempts? 

To effectively prevent and manage WordPress login attempts, consider using a security plugin like MalCare. It offers features such as login attempt limiting, firewall with bot protection and logging, and activity logging, all of which can help safeguard your website from unauthorized access attempts.

What causes failed login attempts?

Failed login attempts are caused by various factors, including users entering incorrect credentials, genuine users forgetting their passwords, or malicious actors attempting to gain unauthorized access through brute force attacks. However, if you’re seeing more than a few failed login attempts within a short timeframe, you might be facing a brute-force attack. 

What is considered a failed login attempt in WordPress?

In WordPress, a login attempt is considered to be failed when a user provides incorrect credentials (username and/or password) while attempting to access the admin or login page of a website. It is also registered every time a brute-force attack bot guesses the wrong credentials.

Why should I be concerned about failed login attempts on my WordPress site?

Excessive failed login attempts can be indicative of security threats like brute-force attacks. These attacks can potentially lead to unauthorized access, data breaches, and the compromise of sensitive information. Monitoring and addressing failed login attempts is crucial for maintaining your website’s security.

How can I view the logs of failed login attempts on my WordPress site?

You can view the logs of failed login attempts on your WordPress site by using security plugins like MalCare, which provide detailed activity logs. 

What security measures can I implement to secure my WordPress site against failed login attempts? 

Use MalCare to secure your WordPress site against failed login attempts. It provides features such as login limiting, firewall protection, and activity logging, that can significantly enhance your website’s security.

How can I protect my WordPress site from brute-force attacks? 

Install security plugins like MalCare to effectively protect your WordPress site from brute-force attacks. Such plugins offer login attempt limiting, firewall protection, and other security features that can effectively thwart brute-force attempts.

When should I consider seeking professional help for my WordPress site’s security?

If you are seeing a lot of failed login attempts or if you suspect a breach, install MalCare to fortify your site and clear out malware. You can also get in touch with professional assistance from cybersecurity experts if the malware is too complex or the security breach is complicated. 



You may also like

Website logs
What are the Different Types of Website Logs?

Imagine driving a car without knowing your speed, engine temperature, or fuel levels. Sounds terrifying, right? Well, managing a website without understanding website logs is a bit like that. You…

What is Cross-Site Scripting (XSS) and How to Prevent It?

Websites can sometimes act strangely, showing unexpected pop-ups or exposing personal information. This isn’t just a glitch—it’s often due to a sneaky trick called Cross-Site Scripting (XSS). You might be…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.