One of the most common methods that hackers use to gain access to a WordPress site is a brute force attack. Bots try multiple username and password combinations until one is successful. Invariably, this leads to many failed login attempts. As such, limiting and keeping a log of failed login attempts is one of the best defenses against such attacks.
This article explains how you can implement these security measures using WP Activity Log and Melapress Login Security. These two plugins can help you keep a log of failed logins, so you can see the failed login history of a WordPress website and limit login attempts simultaneously. It also showcases the different settings you can use to configure the plugins based on your needs.
How the WP Activity Log plugin keeps a record of failed login attempts on WordPress?
WP Activity Log uses two different alerts to keep a record of failed WordPress logins in the activity log:
- Alert 1002: WordPress user failed login
- Alert 1003: failed login for non-existing username (this means someone tried to authenticate on your website, but the username they specified does not exist on your website)
Why WP Activity Log uses two different event IDs to keep a WordPress failed login history?
When it comes to failed logins from unknown usernames, which are also non-existing usernames, you really should not worry much about them. This is a pretty normal activity, and it happens to all websites, as explained in Handling WordPress failed login attempts on your site. You should only take precautionary measures when there are failed logins from existing usernames. When this happens, it means that either the user genuinely forgot their password or an attacker guessed a WordPress user. In the case of the latter, the user account might become the subject of a targeted attack.
Therefore, by having two different event IDs, it’s easier to search for a specific failed login in the activity log. It also allows you to create separate email and SMS notifications so you are alerted in case there are failed logins for a known username.
How does the logging of WordPress failed logins work?
By default, the WP Activity Log plugin records up to ten failed logins for every IP address and WordPress username combination if a real WordPress user is being used. For failed logins of non-existing WordPress users, the plugin records up to ten failed attempts for every IP address.
This is a precautionary measure to avoid hogging web server resources in case of a WordPress brute force attack. These events are enough to give you an indication if your WordPress is being attacked or if the failed login attempts are legit.
Configure the plugin to record more than ten failed login attempts
You can configure the WP Activity Log plugin to keep a log of more than ten failed WordPress logins. To increase the limit:
- Navigate to the Enable/Disable Events node in the plugin menu
- Click on the User Logins & Sessions Events tab
- Find Alert ID 1002 and Alert ID 1003 and enter “0” for both if you want to capture all failed logins without limits.
What is reported in the failed WordPress logins alerts?
In both event IDs 1002 and 1003, the plugin records:
- The date and time when the last failed login happened
- The source IP address of the computer/device from where the failed login happened
- The number of failed logins
- The WordPress user in case of alert 1002, as seen in the below screenshot
In case there is a failed WordPress login for a non-existing username, the plugin uses System as a user because there is no WordPress user on your website that can be associated with such activity, as shown in the below screenshot.
How to limit login attempts
Limiting the number of login attempts can help you ensure your website remains secure. Melapress Login Security is a WordPress security plugin that gives you the tools you need to enact policies around your login page – including limiting login attempts on WordPress.
Using Melapress Login Security, you can set a hard limit on how many times a user can attempt to log in before the account is locked. Furthermore, you can specify what happens once an account is locked – whether it automatically unlocks after a period of time or whether a WordPress admin has to unlock it manually.
Keep a log of the Usernames used for the failed WordPress logins
By default, the plugin keeps a log of all the usernames used during the failed login attempts that are not WordPress users. The list of usernames will be kept in the database. You can also download the list of usernames in a log file from the alert details by clicking “Download the log file.” under the Message section, as seen in the screenshot above.