WordPress limit login attempts: How to & best plugin

Limiting login attempts on WordPress is a smart security strategy that can protect you from brute-force attacks. Because these types of attacks rely on considerable login attempts, limited login attempts cut off the attempts after a few tries. While a few login attempts are more than enough for a legitimate user who happens to have forgotten their password, a brute force attack will need considerably more.

WordPress does not offer functionality for limiting login attempts straight of the box. As such, we need a limit login attempts plugin. Melapress Login Security is more than just a wp limit login attempts plugin. Not only does it easily limit unauthorized access attempts, but it also includes many other security features for protecting your WordPress login page.

Once you purchase the plugin, you’ll receive an email with your license key and a download link. Alternatively, you can log in to your My Account page by visiting Melapress.com. Here, you’ll find everything related to your account conveniently located under one digital roof.

Download the plugin .ZIP to your computer and take note of the license key. We’ll be using both of these in the next step.

Melapress Login Security comes in a number of different editions and plans so that you can easily choose the one that best fits your requirements and budget. All included features are listed on the pricing page, making comparing the available options sure easy.

Once you purchase the plugin, you’ll receive an email with your license key and a download link. Alternatively, you can log in to your My Account page by visiting Melapress.com. Here, you’ll find everything related to your account conveniently located under one digital roof.

Download the plugin .ZIP to your computer and take note of the license key. We’ll be using both of these in the next step.

First, log in to your WordPress website dashboard and then navigate to Plugins > Add New Plugin. Next, click on Upload Plugin, located at the top of the page, then click on Choose File. Find the .ZIP file downloaded in the previous step and click on Open. Lastly, click on Install Now to install the plugin.

Once the plugin has been successfully installed, activate it. You’ll then be asked to enter your license key, which activates the premium features associated with your plan.

Once you purchase the plugin, you’ll receive an email with your license key and a download link. Alternatively, you can log in to your My Account page by visiting Melapress.com. Here, you’ll find everything related to your account conveniently located under one digital roof.

Download the plugin .ZIP to your computer and take note of the license key. We’ll be using both of these in the next step.

With the plugin installed and activated, we can now go ahead and place a limit on login attempts.

Navigate to Login Security > Login Security Policies. Tick the Enable login security policies checkbox and scroll down to the Enable Login limitation policies section.

To enable the failed logins policy, tick the Activate failed login policies checkbox and then fill out the following information:

  • Number of failed login attempts before locking a user: Enter the number of tries a user is allowed before their account is locked
  • Number of failed login attempts before locking a user: Enter the number of minutes over which
  • When a user is locked: Choose what happens when a user is locked after too many failed login attempts, whether the account should only be unlocked by an administrator or automatically after a period of time passes
  • Require blocked users to reset password on unblock: Enable this setting to require users whose accounts have been blocked due to too many failed login attempts to reset their password on unblock

Once you have made your selections, scroll all the way down to the bottom of the screen and click on Save Changes.

Why limit login attempts on WordPress?

It’s no secret that bad actors target WordPress websites every day. While they might not be after your WordPress sites specifically, they may still want to gain access for other reasons, such as spam redirections. With automated bots typically employed for such endeavors, softer targets are usually preferred.

One way bad actors will try to gain access is by brute-forcing their way in. People are notoriously bad at choosing strong passwords, which is why such attacks are common. In brute-force attacks, bots will try several usernames and passwords, using common combinations until they’re successful.

By limiting login attempts, you take away the one thing that brute force attacks have going in their favor – the ability to try different combinations. With unlimited login attempts, attackers can keep on trying until they’re successful. By implementing login attempt limits, the number of tries is cut short, rendering the premise behind such an attack useless.

Limiting login attempts is also more helpful than blocking malicious IP addresses since bad actors can easily change their IP.

The different types of login attempts

Not all failed login attempts are equal. Understanding the differences can help you understand whether a user genuinely forgot their password or a breach attempt took place.

The first type of failed login attempt that we’ll look at is where the username is known, but the password entered is incorrect. Typically, this tells us that the user forgot their password however, we need to be careful before concluding anything.

Bad actors are known to use dictionary attacks for both usernames and passwords. A WPScan can also enumerate users on a WordPress website – giving the attacker a list of users on the website.

The second type of failed login attempt comes with both username and password being invalid. This tells us that whoever tried to log in was trying to guess both the username and password. This is typically a tell-tale sign that a breach was attempted.

One other factor that we need to look at is time. Here, we need to look at how many login attempts occurred in a given unit of time. Bots can submit login attempts faster than legitimate users can.

A genuine case will typically pause between one attempt and the next, taking time to remember whether the password they just entered is the correct one. A bit will quickly move to the next username and password combination on the list, which generates more failed login attempts over a short period of time.

Where to find failed login attempts

Curious to see if there have been any failed login attempts and where they came from.? Then you need WP Activity Log – the most comprehensive activity log plugin that also keeps a log of failed login attempts (among many other user and system activities).

With WP Activity Log installed, navigate to WP Activity Log > Log Viewer. Here, we will need to search for two particular events:

  • 1002: Events under Event ID 1002 list failed logins for WordPress users, that is to say, login attempts that got the username right but the password wrong
  • 1003: Events under Event ID 1003 list failed login for non-WordPress users, that is to say, login attempts that got both username and password wrong

What information does the failed login log include?

Now that we have identified suspicious login attempts through the WP Activity Log Log Viewer, we can look at the data included in the log to make some deductions

  • ID: This is the first column in the log viewer, which tells us the Event ID. Since we are looking for failed logins, this should read either 1002 or 1003
  • Date: The third column in the Log Viewer tells us the date and time the event took place. The Log Viewer is organized chronologically by default, making it easy to assess the number of failed logins over any time period
  • User: This tells us which user account the failed login attempt happened for. For event ID 1003, where both username and password were wrong, this will show as System since the user does not exist in WordPress
  • IP: This is the user’s IP address which the login attempt originated from. If you see many failed attempts from the same IP address, you can blacklist it. However, be aware that most bad actors use some form of VPN or tunneling to hide their actual IP. Attempting to block all such IP addresses may lead you to a never-ending game of cat and mouse

Other security considerations to keep in mind

Limiting login attempts is a solid security measure that will help you protect your WordPress site. However, you can take full advantage of everything Melapress Login Security has to offer to increase your security even further.

Hide login page

Most attacks on WordPress websites are automated. With the WordPress login page being no secret, bots will have no trouble finding the login page.

By changing the URL, you’ll make it more difficult for bad actors to find the login page in the first place.Changing the login URL is easy with Melapress Login Security. Navigate to Login Security > Hide login page and enter the new URL, along with the URL you want to redirect the old login page to. Click Save Changes, and you’re done.

Strong password policy

Melapress Login Security also offers a password policy feature that enables you to mandate strong passwords for all of your users. Stronger passwords are more difficult to brute-force than weak passwords. By ensuring users use passwords that meet best practices, the security offered by passwords is maximized.

Password policies can be as complex as you want them to be, thanks to the flexibility of Melapress Login Security. The default settings ensure you meet the minimum best practices. However, you can adjust these as you see fit.

While strong passwords will not limit login attempts, they decrease the risk of a successful incursion.

2FA

Two-factor authentication is one surefire way to stop potential brute-force attacks in their tracks. Anyone trying to log in will not be able to proceed with their login attempts in WordPress unless they provide the corresponding OTP.

With WordPress 2FA, even if passwords get leaked, illegitimate users will still not be able to log in unless they are able to receive the OTP, drastically increasing the security of your websites.

CAPTCHA

CAPTCHA is a test that tells humans and computers apart. As such, it can limit login attempts from bots, which is what bad actors often use to try to gain access. While CAPTCHA is not often one of the security solutions that comes to mind when thinking about a way to limit logins, it is a useful tool to have.

Limiting login attempts on WordPress

Good WordPress security requires a holistic approach. Limiting the number of login attempts allowed is a good strategy, especially when forming part of wider attempts to bolster login security requirements.

Melapress Login Security is a WordPress security plugin that not only limits login attempts but also offers other security management options to keep your site secure. With many plugin settings to configure, WordPress login protection has never been easier than this.

Take the Melapress Security Survey 2024

Share your perspective
and WIN