WordPress Limit Login Attempts: How to do it?

You’ve probably noticed a lot of failed login attempts on your WordPress site. You probably suspect that your site is facing a brute-force login attack by bots. Brute force attacks to log into a site involve systematically trying every possible combination of usernames and passwords until the correct one is found. 

If you’re fighting off brute force attacks, install a WordPress firewall with integrated bot protection.

These attacks not only endanger your website but also add considerable strain on your server, potentially making it unresponsive to real visitors. One of many login security solutions is to limit login attempts in WordPress and that is what we will talk about in this article.

TL;DR: MalCare has the best solution for limiting logins with a powerful firewall. It stands out as the top choice thanks to its integrated bot protection and user-friendly plugin, making website security both robust and hassle-free.

There are different aspects of your site vulnerable to brute force attacks. XML-RPC, for example, is a file that allows a user to log in, publish posts, and more, remotely. Similar to the login page, using either confirmed usernames or suspected valid ones, attackers relentlessly send XML-RPC login requests with varying passwords until they find the correct one to gain access.

Vulnerabilities like this make limiting login attempts a great way to prevent a hack.  However, there are no default settings or features that WordPress offers to do so. You will either need a firewall plugin or add custom code to core files. So, starting from the easiest, here are three ways to block login attempts in WordPress.

1. [RECOMMENDED] Limit login attempts in WordPress using a comprehensive security plugin

MalCare is a multifaceted security plugin known for its ease of use and comprehensive suite of features, including limiting login attempts. Just sign up, add your URL and immediately put the limit logins feature into effect. Here are the steps to do so:

1. Create an account: On the MalCare website, click Sign Up. Add an email address and create a password.

2. Add your URL: Next, add your WordPress website to your MalCare account.

3. Sync your site: You will then be prompted to initiate sync. Click the button and you’re done. 

That’s it! With these simple steps, you’ve set up your MalCare account and linked it to your website, paving the way for enhanced security.

4. Test the login limit: Now it’s time to ensure that it functions as intended. Attempt to log in incorrectly 10 times and as quickly as possible. Understand what it looks like to be locked out by MalCare. Then, use reCAPTCHA to sign back in. 

The limit login feature is just one part of MalCare’s security arsenal, which also includes a robust malware scanner and effortless one-click malware removal. 

Why do we recommend MalCare?

2. Limit login attempts in WordPress using a dedicated plugin

If you’re in search of a highly customizable plugin to fortify your WordPress login security, the Limit Login Attempts Reloaded plugin is a good choice. This straightforward yet powerful tool is designed to excel at one thing—enhancing your login protection. 

1. Install and activate the plugin: On the wp-admin dashboard, click Plugins in the sidebar. Then click Add New. Then, look for Limit Logins Reloaded in the search bar. Click Install and Activate.

2. Customize the parameters: Navigate to the plugin settings and decide the parameters of allowed retires, lockout times, etc. to suit your security preferences:

3. Test the plugin: Test your setup to ensure that the plugin works as intended. Attempt to log in incorrectly and verify that you are getting locked out.

Although there are advantages to using plugins that do one thing well, a well-architected site shouldn’t have too many plugins. Instead, install MalCare, a comprehensive security plugin that has the ability to limit logins as a part of its larger suite of features.

3. Limit login attempts in WordPress without a plugin

It is possible to develop the code to limit login attempts in WordPress and to insert it to your site but we don’t recommend this method. It requires changes to core files and some technical expertise. The code needs to be added to the functions.php file of an active theme. We recommend that you create a child theme because any theme updates in the future could override your customizations. Instead, make changes in your child theme to ensure they remain intact. We also recommend that you backup your site first. This ensures that you can easily restore your site to its previous state if anything goes wrong during the customization process. With that, let’s get started:

1. Connect to the site server: We’re using Cyberduck but you can use any other FTP client like FileZilla as well. Click Open Connection and use your application credentials – username, password, and IP address – to connect to your server. These are details you can find with your hosting provider.

2. Open the the functions.php file on a text editor: Navigate to your root folder. In our case, this was called the public_html. Then look for the wp-content folder and then the folder for the active theme. Find the functions.php file and download it. Then open the downloaded file in a text editor so you can edit it.

3. Add the custom code: Then, add the following code in the end of functions.php file:

function check_attempted_login( $user, $username, $password ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );

        if ( $datas[‘tried’] >= 3 ) {

            $until = get_option( ‘_transient_timeout_’ . ‘attempted_login’ );

            $time = time_to_go( $until );

            return new WP_Error( ‘too_many_tried’,  sprintf( __( ‘<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.’ ) , $time ) );

        }

    }

    return $user;

}

add_filter( ‘authenticate’, ‘check_attempted_login’, 30, 3 ); 

function login_failed( $username ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );

        $datas[‘tried’]++;

        if ( $datas[‘tried’] <= 3 )

            set_transient( ‘attempted_login’, $datas , 300 );

    } else {

        $datas = array(

            ‘tried’     => 1

        );

        set_transient( ‘attempted_login’, $datas , 300 );

    }

}

add_action( ‘wp_login_failed’, ‘login_failed’, 10, 1 ); 

function time_to_go($timestamp)

{

    // converting the mysql timestamp to php time

    $periods = array(

        “second”,

        “minute”,

        “hour”,

        “day”,

        “week”,

        “month”,

        “year”

    );

    $lengths = array(

        “60”,

        “60”,

        “24”,

        “7”,

        “4.35”,

        “12”

    );

    $current_timestamp = time();

    $difference = abs($current_timestamp – $timestamp);

    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) – 1; $i ++) {

        $difference /= $lengths[$i];

    }

    $difference = round($difference);

    if (isset($difference)) {

        if ($difference != 1)

            $periods[$i] .= “s”;            $output = “$difference $periods[$i]”;

You can customize the values to meet your specific login security requirements. In the case of this code, you’ll notice the number 3 at the end of line 4 of code. This implies that a user gets locked out after 3 failed attempts. The number 3 can be changed, as you’d like. Similarly, look for the following piece of code:

 if ( $datas[‘tried’] <= 3 )
            set_transient( ‘attempted_login’, $datas , 300 );
    } else {
        $datas = array(
            ‘tried’     => 1
        );
        set_transient( ‘attempted_login’, $datas , 300 );
    }
}

This means that the lockout happens for 300 seconds or 5 minutes. You can replace it with a number of your choice.

4. Upload the file: Once you’re done, save the file and upload the edited file to your server.

5. Test the login limits: Test the process when you’re done. Try logging in with incorrect credentials and verify that the restrictions are enforced.

Troubleshooting issues with the manual method 

There are a few things that can go wrong when you limit login attempts in WordPress without plugin.  We have covered some issues commonly faced during the manual process in this section. 

Why we don’t recommend the manual method

When considering the manual method, it’s important to be aware of its drawbacks:

Should you block login attempts in WordPress?

The practice of blocking login attempts in WordPress is a great security measure, but it’s not without its considerations. On one hand, it serves as a robust defense against unauthorized access by thwarting brute-force attacks and safeguarding against credential stuffing. However, users may worry about potential inconveniences or account lockouts resulting from these limits. To provide a comprehensive perspective, it’s important to delve into both the advantages and disadvantages of limiting login attempts.

Pros

Cons

What are some other ways to secure a login page?

While limiting login attempts in WordPress is indeed a vital component of website login security, it’s essential to recognize that it’s just one piece of the puzzle. There are other ways to block the effect that a brute-force attack can have on your site. Here are some login security measures that we would recommend:

It is important to reiterate that login security is a single facet of WordPress security. For a more comprehensive defense of your WordPress site, you need to install a security plugin like MalCare. MalCare combines a malware scanner, cleaner, and an advanced firewall, which will also contribute to login security while repelling other kinds of attacks.

Final thoughts

While limiting login attempts in WordPress is important, comprehensive website security requires more. You need tools like malware scanning, vulnerability detection, a firewall, and malware removal. MalCare is the top choice, providing all these features to keep your website safe and secure.

FAQs

How many login attempts should be allowed before locking out a user?

The ideal number of login attempts before locking out users can vary based on your website’s security needs. However, a common recommendation is to set a limit of 3 to 5 login attempts. This strikes a balance between deterring brute-force attacks and ensuring that legitimate users don’t face unnecessary lockouts.

Can certain IP addresses be whitelisted to prevent lockouts?

Yes, many security plugins and systems offer the option to whitelist certain IP addresses or IP ranges. Whitelisting trusted IPs ensures that users with those IPs won’t be subject to lockouts, even if they exceed the specified login attempts. This feature is valuable for website owners who want to ensure uninterrupted access for specific users or locations.

What should you do if you get locked out of your own site due to login attempt limits?

If you find yourself locked out of your website due to login attempt limits, don’t panic. Most security solutions, including plugins like MalCare, provide mechanisms to unblock yourself. Typically, this involves completing a CAPTCHA or waiting for a set duration before trying to log in again. It’s a security measure to protect your site from unauthorized access, but it’s designed to be temporary and manageable.

Are there any risks of false positives with login attempt limits?

Yes, there can be risks of false positives when implementing login attempt limits. Legitimate users who mistype their passwords multiple times or have difficulties with CAPTCHA challenges may inadvertently trigger lockouts. To mitigate this, it’s essential to choose security solutions that offer user-friendly ways to resolve lockouts, such as CAPTCHA verification. Additionally, monitoring your site’s activity logs can help you identify and address false positives promptly, ensuring a smoother user experience while maintaining security.