WordPress Limit Login Attempts: How to do it?

If you’ve noticed a lot of failed login attempts on your WordPress site, your site is facing a brute-force login attack by bots. Brute force attacks to log into a site involve systematically trying every possible combination of usernames and passwords until the correct one is found. 

Easily set up login security with a WordPress firewall that limits logins.

These attacks endanger your website and also strain your server resources. Real visitors will experience a slow and unresponsive site.

TL;DR: Limit bad or failed logins easily with MalCare. MalCare is the best choice for login security, because the firewall protects the site from all kinds of login attacks.

One of many login security solutions is to limit login attempts in WordPress. However, the login page is not the only place that is vulnerable to login attacks.

XML-RPC, for example, is a file that allows a user to log in, publish posts, and more, remotely. Similar to the login page, using either confirmed usernames or suspected valid ones, attackers relentlessly send XML-RPC login requests with varying passwords until they find the correct one to gain access.

💡 Therefore, you should look for a WordPress firewall that also limits failed login attempts.

1. [RECOMMENDED] Limit login attempts in WordPress with a firewall plugin

MalCare is a login security plugin known for its ease of use and comprehensive suite of features which includes robust WordPress limit login attempts controls, Just sign up, add your URL and immediately put the limit logins feature into effect.

Once installed, test the login limit. Attempt to log in incorrectly 10 times and as quickly as possible. You’ll see what it looks like to be locked out by MalCare.  

The advantage of using MalCare’s login security is that even if a real user is locked out because they’ve forgotten their password, they can immediately unblock themselves with the reCAPTCHA provided.

Why do we recommend MalCare?

2. Limit login attempts in WordPress using a dedicated limit login attempts plugin

If you’re in search of a highly customizable plugin to fortify your WordPress login security, the Limit Login Attempts Reloaded plugin is a good choice. This straightforward yet powerful tool is designed to excel at one thing—enhancing your login protection. 

1. Install and activate the plugin: On the wp-admin dashboard, click Plugins in the sidebar. Then click Add New. Then, look for Limit Logins Reloaded in the search bar. Click Install and Activate.

2. Customize the parameters: Navigate to the plugin settings and decide the parameters of allowed retires, lockout times, etc. to suit your security preferences:

3. Test the plugin: Test your setup to ensure that the plugin works as intended. Attempt to log in incorrectly and verify that you are getting locked out.

Although there are advantages to using plugins that do one thing well, a well-architected site shouldn’t have too many plugins. Instead, install MalCare login security, a comprehensive security plugin that has the ability to limit logins as a part of its larger suite of features.

3. Limit login attempts in WordPress without a plugin

It is possible to develop the code to limit login attempts in WordPress and to insert it to your site but we don’t recommend this method. It requires changes to core files and some technical expertise. The code needs to be added to the functions.php file of an active theme. We recommend that you create a child theme because any theme updates in the future could override your customizations. Instead, make changes in your child theme to ensure they remain intact. We also recommend that you backup your site first. This ensures that you can easily restore your site to its previous state if anything goes wrong during the customization process. With that, let’s get started:

1. Connect to the site server: We’re using Cyberduck but you can use any other FTP client like FileZilla as well. Click Open Connection and use your application credentials – username, password, and IP address – to connect to your server. These are details you can find with your hosting provider.

2. Open the the functions.php file on a text editor: Navigate to your root folder. In our case, this was called the public_html. Then look for the wp-content folder and then the folder for the active theme. Find the functions.php file and download it. Then open the downloaded file in a text editor so you can edit it.

3. Add the custom code: Then, add the following code in the end of functions.php file:

function check_attempted_login( $user, $username, $password ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );

        if ( $datas[‘tried’] >= 3 ) {

            $until = get_option( ‘_transient_timeout_’ . ‘attempted_login’ );

            $time = time_to_go( $until );

            return new WP_Error( ‘too_many_tried’,  sprintf( __( ‘<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.’ ) , $time ) );

        }

    }

    return $user;

}

add_filter( ‘authenticate’, ‘check_attempted_login’, 30, 3 ); 

function login_failed( $username ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );

        $datas[‘tried’]++;

        if ( $datas[‘tried’] <= 3 )

            set_transient( ‘attempted_login’, $datas , 300 );

    } else {

        $datas = array(

            ‘tried’     => 1

        );

        set_transient( ‘attempted_login’, $datas , 300 );

    }

}

add_action( ‘wp_login_failed’, ‘login_failed’, 10, 1 ); 

function time_to_go($timestamp)

{

    // converting the mysql timestamp to php time

    $periods = array(

        “second”,

        “minute”,

        “hour”,

        “day”,

        “week”,

        “month”,

        “year”

    );

    $lengths = array(

        “60”,

        “60”,

        “24”,

        “7”,

        “4.35”,

        “12”

    );

    $current_timestamp = time();

    $difference = abs($current_timestamp – $timestamp);

    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) – 1; $i ++) {

        $difference /= $lengths[$i];

    }

    $difference = round($difference);

    if (isset($difference)) {

        if ($difference != 1)

            $periods[$i] .= “s”;            $output = “$difference $periods[$i]”;

You can customize the values to meet your specific login security requirements. In the case of this code, you’ll notice the number 3 at the end of line 4 of code. This implies that a user gets locked out after 3 failed attempts. The number 3 can be changed, as you’d like. Similarly, look for the following piece of code:

 if ( $datas[‘tried’] <= 3 )
            set_transient( ‘attempted_login’, $datas , 300 );
    } else {
        $datas = array(
            ‘tried’     => 1
        );
        set_transient( ‘attempted_login’, $datas , 300 );
    }
}

This means that the lockout happens for 300 seconds or 5 minutes. You can replace it with a number of your choice.

4. Upload the file: Once you’re done, save the file and upload the edited file to your server.

5. Test the login limits: Test the process when you’re done. Try logging in with incorrect credentials and verify that the restrictions are enforced.

Troubleshooting issues with the manual method 

There are a few things that can go wrong when you limit login attempts in WordPress without plugin.  We have covered some issues commonly faced during the manual process in this section. 

Why we don’t recommend the manual method

When considering the manual method, it’s important to be aware of its drawbacks:

Should you block login attempts in WordPress?

The practice of blocking login attempts in WordPress is a great security measure, but it’s not without its considerations. On one hand, it serves as a robust defense against unauthorized access by thwarting brute-force attacks and safeguarding against credential stuffing. However, users may worry about potential inconveniences or account lockouts resulting from these limits. To provide a comprehensive perspective, it’s important to delve into both the advantages and disadvantages of limiting login attempts.

Pros

Cons

What are some other ways to secure a login page?

While limiting login attempts in WordPress is indeed a vital component of website login security, it’s essential to recognize that it’s just one piece of the puzzle. There are other ways to block the effect that a brute-force attack can have on your site. Here are some login security measures that we would recommend:

It is important to reiterate that login security is a single facet of WordPress security. For a more comprehensive defense of your WordPress site, you need to install a security plugin like MalCare. MalCare combines a malware scanner, cleaner, and an advanced firewall, which will also contribute to login security while repelling other kinds of attacks.

Final thoughts

While limiting login attempts in WordPress is important, comprehensive website security requires more. You need tools like malware scanning, vulnerability detection, a firewall, and malware removal. MalCare is the top choice, providing all these features including robust wp limit logins capabilities to keep your website safe and secure.

FAQs