WordPress Limit Login Attempts: How to do it?


7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Are you concerned that hackers are attempting to log into your WordPress site? You’re right to be.

Hackers are using trial and error methods to guess login credentials and break into WordPress sites. In fact, on a WordPress site, the WordPress login page is the most attacked page.

Once a hacker breaks into your admin dashboard area, they can take full control of your site. They will install malware, backdoor, deface your site, advertise and sell illegal products, steal your user’s personal information, spam your site visitors and execute other malicious activities.

Luckily, you can protect your login page by limiting the number of login attempts a user is granted to enter the correct credentials. In this guide, we’ll show you how to setup limit login attempts on a WordPress site.

TL;DR: By limiting login attempts on your WordPress site, you can prevent hackers from trying to break into your website. The easiest and most efficient way to enable this feature on your site is by using a plugin. Install MalCare on your site. It comes with firewall and login protection. This secures your site against brute force attacks.

What Is WordPress Limit Login Attempts?

By default, WordPress grants unlimited attempts to login into your site. You can try as many combinations of usernames and passwords as you like. 

wordpress login page

Hackers are aware of this and exploit this setting. First, they compile a database of commonly used usernames and passwords, along with stolen data or bought data. Next, they program bots to visit WordPress sites and try thousands of combinations of usernames and passwords in under a few minutes. 

In doing so, hackers are able to break into many WordPress sites. This is called a Brute Force Attack as they ram your website with thousands of login requests in a few minutes. 

Using this hacking method, hackers have a good success rate (approximately 10%) owing largely to the fact that WordPress users tend to set weak login credentials. While 10% seems like a low number, given the fact that there are millions of WordPress sites, they can hack into thousands of sites in no time. 

By limiting the number of login attempts, you can stop hackers and their bots in their tracks. 

A user will be granted a limited number of times to enter the correct login credentials. For instance, you can grant three attempts. If the user fails to enter the correct credentials all three times, they will be locked out of their account. 

They will be presented with options to recover their login credentials such as:

  1. Contact the administrator.
  2. Use the ‘forgot password’ option to reset the password by answering a set of questions.
  3. Prove their identity through OTP verification or email verification.
  4. Solve a captcha to prove they are human and not a bot.

Once a bot attempts to login three times, they will be faced with these obstacles. They won’t be able to proceed further and will move on to the next target.

Therefore, this security measure can protect your site from hackers and prevent a world of trouble. Next, we’ll show you how to setup limit login attempts on WordPress

How To Limit Login Attempts On Your WordPress Site?

There are two ways to limit login attempts on your WordPress site:

  1. Using a plugin (easy)
  2. Manually (hard) 

We’ll show you how to use a plugin first because it’s simple, quick and free from the risk of errors. 

1. Limit Login Attempts Using A Plugin 

There are several plugins that enable limited logins on your WordPress site. So how do you choose the right one?

Look for a plugin that’s easy to set up and that will automate the process for you. Also, ensure your plugin provides a report on the attempts it has blocked so that you can see if the plugin is actually working.

We’ve selected the MalCare Security Plugin to illustrate how to limit login attempts on your site. It meets the requirements we listed above. It also goes beyond just limiting login attempts and keeps your website protected at all times. 

With MalCare, your website will have CAPTCHA-based limit login attempts. This means if a user enters the wrong credentials more than ten times, they will be required to solve a CAPTCHA. 

Upon solving the CAPTCHA, the user can attempt to login again. Or they can use the Forgot Password? option to retrieve their credentials.

Let’s begin:

Step 1: Install MalCare on your site. Activate the plugin and access it from your WordPress dashboard. 

Step 2: Enter your email address and select Secure Site Now.

malcare scan

Step 3: MalCare will redirect you to its independent dashboard where it will automatically run a scan on your website. 

Step 4: Limited login attempts are automatically enabled on your site. Now, you must be wondering how do I use WordPress limit login attempts?

If you try logging in with the wrong credentials, you will be blocked from trying again.

Login Protection From BV

When you select Click here, you’ll be presented with a CAPTCHA like so:

Captcha on BV.png

Upon solving the CAPTCHA, you can log into your site again. In case you are unable to remember your credentials, you can use the Lost your password? option.

Lost Password on WordPress

That’s it. You’ve successfully limited login attempts on your website. Apart from this, MalCare also erects a robust firewall to stop any bad bots or malicious traffic from accessing your site. It provides you with a report of all login attempts. You can access this on the dashboard:

Active Firewall on MalCare

You can see failed attempts and successful login attempts. You can also see the ones that MalCare has identified as suspicious and blocked automatically.

malcare blocked login details.

Now, if a WordPress plugin isn’t the method for you, we’ve detailed how you can implement WordPress limit login attempts without a plugin. But this method is complex and prone to errors, so proceed with caution.

2. Limit Login Attempts Manually

You can add limited login protection to your site by manually inserting a snippet of code into a WordPress file on your site. However, we must caution you that every time you make a manual change to a WordPress file, you risk breaking your website. The smallest of errors lead to big problems. 

If you wish to proceed with this method, we strongly recommend taking a complete backup of your website. In case anything goes wrong, you can quickly restore your backup copy and get your site back to normal. You can take a backup easily by installing theBlogVault backup plugin on your site, or choose from one of the best backup plugins.

Once you have a backup copy in place, follow the steps below:

Step 1: Login to your hosting account, and access your cPanel. Here, select File Manager.

Step 2: Open the public_html folder (or the folder in which your website resides). Go to wp-content > Themes. 

Step 3: Select your active theme folder. Inside, locate the functions.php file. To illustrate, our active theme’s name is Personal Blogily, so we selected this folder.

theme functions file

Step 4: Right-click and select Edit. The file will open and you can make changes here. Insert the following code to the file:

function check_attempted_login( $user, $username, $password ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );

        if ( $datas[‘tried’] >= 3 ) {

            $until = get_option( ‘_transient_timeout_’ . ‘attempted_login’ );

            $time = time_to_go( $until );

            return new WP_Error( ‘too_many_tried’,  sprintf( __( ‘<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.’ ) , $time ) );



    return $user;


add_filter( ‘authenticate’, ‘check_attempted_login’, 30, 3 ); 

function login_failed( $username ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );


        if ( $datas[‘tried’] <= 3 )

            set_transient( ‘attempted_login’, $datas , 300 );

    } else {

        $datas = array(

            ‘tried’     => 1


        set_transient( ‘attempted_login’, $datas , 300 );



add_action( ‘wp_login_failed’, ‘login_failed’, 10, 1 ); 

function time_to_go($timestamp)


    // converting the mysql timestamp to php time

    $periods = array(









    $lengths = array(








    $current_timestamp = time();

    $difference = abs($current_timestamp – $timestamp);

    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) – 1; $i ++) {

        $difference /= $lengths[$i];


    $difference = round($difference);

    if (isset($difference)) {

        if ($difference != 1)

            $periods[$i] .= “s”;            $output = “$difference $periods[$i]”;

This code will limit the login attempts to three times.

Step 5: Save the file and exit.

Once this code is embedded on your website, users have three attempts to enter the correct login credentials. If they fail to do so, they will be blocked from accessing their account for a temporary period of time. 

Reached the limit on WordPress Login

The only reason you should opt for this method is if you want to minimize the use of plugins on your site and enable the feature on your own. Other than that, it is much safer and easier to use a plugin to handle this task for you. 

That’s it! You’ve successfully limited the login attempts on your site and have thus prevented hackers and bots from accessing your site! 

Also Read: How to fix WordPress Login Not Secure issues

Should You Limit Login Attempts On Your WordPress Site?

There’s always an upside and a downside to anything you implement on your WordPress site. So before you go ahead with enabling Limit Login Attempts on your site, we’ll take you through the advantages and disadvantages. This will help you determine if this feature is right for your website.

Pros of Limit Login Attempts

  • Prevent Unauthorized Access 

By limiting login attempts on your site, you can prevent hackers and bad bots from brute forcing your login page and gaining access.

A temporary lockout is enough to discourage a bot and make them move away from your site.

  • Prevent Traffic Surge and Server Crash

As we mentioned, in a brute force attack, bots attempt thousands of combinations of usernames and passwords. With every attempt, the bot sends a request to your web server. 

Your web server provides resources to run tasks and functions on your website including login requests. If a bot bombards your site with thousands of requests in a minute, it can overload your server and cause it to crash. 

Your site will become temporarily unavailable to visitors.

  • Prevent Web Host Suspension

Your web server has limited resources to run your website. If you exceed your resources, your server gets overloaded. 

If you are using a shared hosting plan, this can affect other websites that are on the same server. 

When bots are making hundreds of attempts to log in, your site is using excessive server resources. This prompts your hosting provider to temporarily suspend… the site to avoid any impact to other websites on the server. They also do it to protect their own interests.

Cons of Limit Login Attempts

  • Account Locked – If you accidentally forget your username and password, you could get locked out of your account. You would need to follow a verification process to recover your password which could take time.

That’s the only con we can think of. There is no other reason why you shouldn’t implement login protection on your site. If you’re looking for a WordPress limit login attempts alternative, then you can try 2-factor authentication. This will also protect your WordPress login page. MalCare has launched a beta version of 2-factor authentication or you can use Google Authenticator for this.

That said, WordPress limited login attempts is easy to implement and protects your site from hackers. We can see that the pros far outweigh the cons when it comes to limiting login attempts and protecting your website.

Final Thoughts

WordPress is the most popular CMS (Content Management System) in the world. But this popularity draws the attention of hackers.

WordPress sites are constantly targeted by hackers. So it’s even more important that you take ample security measures on your site. Given that the WordPress login page is the most attacked page, limiting login attempts is a good place to start.

If you want to protect your WordPress login page further, you might find these resources helpful:

WordPress Login Security

Password Protect Login Page with HTTP Authentication

Protect Your WordPress Site Against Brute Force Attacks

Two-factor Authentication

If you are looking for an all-round easy but robust security solution, we recommend using the MalCare plugin. It regularly scans your site, sets up a strong firewall, limits login attempts, and alerts you if there’s anything suspicious. It protects your site around the clock. 

Secure Your WordPress Site Against Hackers With MalCare!


You may also like

An Introduction to WordPress Plugins
An Introduction to WordPress Plugins

The default WordPress site is basic. It’s a blank canvas for you to jazz up and make your own. Maybe this means turning your site into an ecommerce store or…

9 Essential Plugins For Every WordPress Site
9 Essential Plugins For Every WordPress Site

Plugins open up a world of possibilities for a WordPress site. You can design something completely new, change your site into an e-commerce store, or even create a portfolio for…