how to limit wordpress login attempts

How to Limit WordPress Login Attempts

Do you want to limit WordPress login attempts to secure the admin area? This tutorial will show you the exact process of limiting login attempts.

The popularity of WordPress as a CMS also brings its vulnerability to security breaches like brute force attacks and more. Since WordPress doesn’t limit login attempts by default, there are even more chances that these attacks can be successful and hamper your website.

That is why it is essential to add login attempts on your WordPress website. But limiting these attempts has some more benefits apart from avoiding brute force attacks. So let’s look at the advantages of limiting login attempts in WordPress before we move toward the actual process.

Why Limit WordPress Login Attempts?

It is essential to limit login attempts for your WordPress website. Here are a few reasons why it’s important:

  • Prevent Brute-Force Attacks: Brute-force attacks depend on the automated trial and error of guessing numerous username and password combinations. They are continued until the correct credentials are found. Therefore, you can significantly reduce the chances of success for these attackers by restricting their login attempts.
  • Protect User Accounts: Limiting login attempts is very important if your website enables user registrations or includes membership features. You establish a safeguard that helps defend user accounts from unauthorized access by imposing restrictions on login attempts. This ensures the protection of user accounts associated with your WordPress site and enhances the overall security of your website.
  • Maintain Website Performance: A brute force attack can strain your website server resources when the attacker attempts multiple usernames and passwords to gain access. Each failed login attempt requires processing power, memory, and other resources, which can lead to decreased website performance or even downtime. So you can reduce the chances of these attempts that negatively impact your website’s performance by limiting login attempts.
  • Enhance Overall Security: Implementing login attempt limitations is a proactive security measure that strengthens the protection of your WordPress site. It adds an extra layer of defense against unauthorized access, including other essential security measures such as strong passwords, two-factor authentication, and regular updates. Altogether, these measures can create a robust defense system to safeguard your site from potential threats.

In the next section, we will show you the step-by-step process of limiting WordPress login attempts using a plugin.

How to Limit WordPress Login Attempts

The easiest way to limit login attempts in WordPress is by using a plugin. Plugins increase the functionalities and features of your website that weren’t provided in the default WordPress installation or themes. And since WordPress doesn’t limit login attempts by default, you will have to use a plugin for it.

Many plugins In WordPress allow you to limit login attempts on your website. But we will be using the Limit Login Attempts Reloaded plugin for this demonstration.

limit wordpress login attempts reloaded

It is the most popular plugin in WordPress designed to protect your website from brute-force attacks by limiting login attempts. The plugin also has a straightforward interface to configure the maximum number of login retries and duration of lockouts. It even provides you with detailed logs so that you can keep track of every login attempt and be aware of any related security threats.

But to start using the plugin, you need to install and activate it.

1) Install and Activate the Plugin

First, go to Plugins > Add New from your WordPress dashboard and enter the keywords for the plugin. After you see the plugin in the search results, click Install Now to install the plugin.

The installation will take just a few seconds. Activate the plugin as soon as the installation is completed.

You can also upload and install the plugin if you want to use one not included in the official WordPress plugin repository. You can look at our complete guide on installing a WordPress plugin manually if you need help.

2) Limit Login Attempts Using Plugin Settings

After the plugin is activated, you can now adjust the login attempt limit for your WordPress website using the plugin settings. For that, just go to Settings > Limit Login Attempts and open the Settings tab.

You will be able to see the general settings of the plugin here. But the first thing you should do is scroll down to the App Settings section to limit the login attempts or lockouts on your WordPress website. Lockouts refer to a security feature that temporarily blocks or restricts access to an account or system after a certain number of failed login attempts.

The plugin includes a few options for the lockout of the login attempts. Firstly, you can add the number of login retries you want to provide your users on the “allowed retries” number box. The number you enter here is the limit for the login attempts you want to allow for the users of your WordPress website.

app settings limit wordpress login attempts

Similarly, you can adjust the period in the form of minutes for the lockouts if a user fails to enter the correct credentials within the allowed retries. There are also some more lockout options, like increasing the lockout number after a certain period and the period for resetting the retries.

Lastly, you can also change the Trusted IP Origins option. However, it is strongly recommended that you do not change it and leave it as it is for security reasons. After you make all the necessary changes, click on Save Settings.

Then, you will be able to see the login attempts when you log out from your WordPress dashboard and try logging in again when an incorrect username or password is entered. You can also open the login URL from incognito mode to test it quickly. If you look at the following screenshot, there are only 6 out of 7 because the first attempt included an incorrect username or password.

attempts remaining limit wordpress login attempts

3) Adjust Additional Plugin Settings

You can also adjust some additional plugin settings after you set the lockout options to limit the login attempts for your WordPress website. Just scroll up to the General Settings section, where the first option you’ll see is to set the plugin as GDPR-compliant. You can even add a GDPR message if you check the option.

Furthermore, the plugin can notify you after a certain number of lockouts directly to your selected email. You can also show or hide the top-level menu item, warning badge, and dashboard widget. But remember that the warning badge and the top-level menu item will only be displayed when you reload the changes.

general settings limit wordpress login attempts

Don’t forget to save the changes after you make all the additional changes.

Moreover, if you open the Logs tab, you will also be able to see the total number of lockouts here. You can also add IP addresses, IP ranges, or usernames to the safelist and blocklist area accordingly. Again, it is necessary to save these changes for these IP addresses to take effect on your website.

In addition, you can also view an overview of the number of failed login attempts for the past 24 hours from the Dashboard tab. You also get a graph of the number of failed login attempts along with the exact date of the failed attempts beside it. If you want more options for login attempts, you can always upgrade to the premium version.

dashboard tab limit wordpress login attempts

Bonus: How to Change WordPress Login Page URL

If you want to make your website more secure to reduce the chances of brute force attacks, you can also change the WordPress login URL of your website. The default WordPress login URL is very predictable and straightforward. As a result, hackers can easily find your login URL for brute force attacks.

You can easily find the login page of your website by adding the path /wp-admin/ at the end of your domain. Then, you will be redirected to the WordPress login page of your website, from where you can access your WordPress dashboard. If the path /wp-admin/doesn’t work, you can also try the path /wp-login/, /login/, or /admin/.

As you can see, your login page can be accessed by anyone familiar with web design and development, even at the slightest amount. This can lead to further security threats on your website even if you limit WordPress login attempts. Therefore, it is essential to change the login URL of your WordPress website too.

You can change the login URL of your website without any hassle in just a few minutes. And just like limiting the login attempts, the easiest way to change the login URL in WordPress is by using a plugin. So for this demonstration, we will use the WPS Hide Login plugin.

1) Install and Activate the Plugin

To install the plugin, go to Plugins > Add New from your WordPress dashboard again. Then, search for the keywords of the plugin and click on Install Now, just like one of the previously mentioned steps in this tutorial.

Now all you have to do is Activate the plugin.

2) Change the WordPress Login Page URL

Upon activation of the plugin, you can now start customizing the plugin options from Settings > WPS Hide Login on your WordPress dashboard.

Here, you need to customize two options:

  • Login URL
  • Redirection URL

In the Login URL field, input the desired new path for your login page. We have added “newlogin” for this example. So your unique login URL becomes www.yourdomain.com/newlogin/.

It is important to note that once you make this change, you will need to use the new URL to access the WordPress admin dashboard. So the previous /wp-admin/ path or any other login URL you were using will not be able to access the login page after anymore. Therefore, you will need to redirect users from the old login URL to the new one.

This is where the Redirection URL comes into play. When someone enters the old www.yourdomain.com/wp-admin/ in their browser, they will be automatically redirected to the redirection URL.

But since we want to make the website more secure after we limit the WordPress login attempts, add 404 as the redirection URL. This will let the users know that the entered webpage is unavailable.

Finally, save all the changes.

Once you have updated the new settings, WordPress will display a warning at the top of the page indicating that the login page has been changed. It is advisable to bookmark this link and provide it to only administrative website users.

wps hide login warning

If you need more information on changing the URLs, you can also look at our detailed tutorial on how to change WordPress login page URL.

Tip: Ensure Your Login Password is Strong

Just like adding a limit to the WordPress login attempts and changing the login URL, it is also essential to ensure that your login password is solid and can’t be guessed easily. If you don’t have one, you can easily create it through the WordPress admin dashboard. So as a bonus tip, we’ll guide you through adding a strong password for your WordPress login account too.

First, go to Users > Profile from your WordPress dashboard and scroll down to the Account Management section. Then, click on Set New Password. It will automatically generate a strong new password for your WordPress user profile.

set new password limit wordpress login attempts

Ensure you securely save the password by copying and pasting it into a safe location for future use or reference. Finally, scroll down to the bottom of the page and click on Update Profile to save the changes.

Conclusion

This is how you can limit WordPress login attempts on your website. Limiting login attempts is essential to add an extra layer of security to your WordPress website, and the process is straightforward too. All you have to do is install a plugin that lets you limit the login attempts and then adjust the lockouts, and the login retires accordingly using the plugin settings.

Depending on the plugin you use, you also get some additional options for the login limits. Furthermore, the plugin may also provide statistics and logs for the login attempts, as shown in the above example in this tutorial.

Similarly, we have also provided you with a bonus tutorial on changing the WordPress login URL as an additional security measure. You can change the login URL using a dedicated plugin, just like limiting the login attempts. But ensure you have a solid login password for your WordPress user account for utmost security.

So can you limit the login attempts in a WordPress website now? Have you ever tried it? Please do let us know in the comments.

Meanwhile, here are some more articles that you might find helpful to customize your WordPress website further: