Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPBカップ
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

WordPressでログイン試行を制限する方法と理由

編集メモ: WPBeginner のパートナーリンクから手数料を得ています。手数料は編集者の意見や評価に影響を与えません。編集プロセスについて詳しく知る。

WordPressのログイン試行を制限したいですか?

ハッカーは、WordPressの管理者パスワードを推測するために、あなたのサイトに総当たり攻撃を使用する可能性があります。彼らがログインを試みることができる回数を制限すれば、成功する可能性を大幅に減らすことができます。

この投稿では、WordPressサイトでログイン試行を制限する方法とその理由を紹介します。

How and Why You Should Limit Login Attempts in WordPress

なぜWordPressでログイン試行を制限する必要があるのか?

ブルートフォースアタックとは、試行錯誤を繰り返してWordPressサイトに侵入する方法です。

ブルートフォース攻撃の最も一般的なタイプは、パスワードの推測です。ハッカーは自動化されたソフトウェアを使用してログイン情報を推測し、サイトにアクセスできるようにします。

WordPressの初期設定では、ユーザーは何度でもパスワードを入力することができます。ハッカーは、正しいログインを推測するまで異なる組み合わせを入力するスクリプトを使用して、これを悪用しようとするかもしれません。

ユーザーごとのログイン失敗回数を制限することで、ブルートフォース攻撃を防ぐことができます。例えば、ログインに5回失敗したユーザーを一時的にロックアウトすることができます。

Temporarily Lock Out a User After Failed Login Attempts

残念なことに、パスワードを何度も間違えて入力してしまい、WordPressサイトからロックアウトされてしまうユーザーがいます。そのような状況に陥った場合は、WordPressのログイン試行回数の制限を解除する方法をご覧ください。

ということで、WordPressでログイン試行回数を制限する方法を見てみましょう。

動画チュートリアル

Subscribe to WPBeginner

文章での説明がお好きな方は、そのまま読み進めてください。

WordPressでログイン試行を制限する方法

最初に行う必要があるのは、Limit Login Attempts Reloadedプラグインをインストールして有効化することです。詳しくは、WordPressプラグインのインストール方法のステップバイステップガイドをご覧ください。

このチュートリアルで必要なのはすべて無料版です。有効化した後、Settings ” Limit Login Attemptsのページにアクセスし、一番上の’Settings’タブをクリックしてください。

ほとんどのサイトでは初期設定で問題ありませんが、あなたのサイトに合ったセキュリティプラグインの設定方法を説明します。

Limit Login Attempts Reloaded Settings

GDPR法を遵守するために、「GDPR遵守」チェックボックスをクリックしてログインページにメッセージを表示することができます。GDPRの詳細については、WordPressとGDPRコンプライアンスに関するガイドをご覧ください。

次に、誰かがロックアウトされたときに通知を受けるかどうかを選択します。必要に応じて、通知を送信するメールアドレスを変更することができます。初期設定では、ユーザーがロックアウトされた3回目に通知されます。

ログインの再試行回数と、ユーザーが再試行するまでのロックアウト時間を定義することができます。

Limit Login Attempts Reloaded Settings

まず、ログイン試行回数を定義する必要がある。その後、ユーザーが失敗した試行回数を超えた場合、何分待たなければならないかを選択します。初期設定は20分です。

また、ユーザーが指定回数ロックアウトされると、待ち時間を長くすることもできます。たとえば、初期設定では、ユーザーが4回ログアウトすると、24時間ログインしようとする権限がありません。

セキュリティ上の理由から、「信頼済みIPオリジン」の設定は変更しないことをお勧めします。

画面下の「設定を保存」ボタンをクリックして、変更内容を保存することをお忘れなく。

関連このプラグインについての詳細は、Limit Login Attempts レビューをご覧ください。

WordPressサイトを保護するためのプロのヒント

ログインの試行を制限することは、WordPressサイトを安全に保つ一つの方法に過ぎません。

WordPressサイトを保護する最初のレイヤーはパスワードです。WordPressサイトでは、常に強力なパスワードを使用する必要があります。

強力なパスワードを覚えるのは大変ですが、パスワードマネージャーを使えば簡単です。複数投稿者のWordPressサイトを運営している場合は、WordPressでユーザーに強力なパスワードを強制する方法をご覧ください。

WordPressのログインページがまだ攻撃を受けている場合は、Google reCAPTCHA for WordPress loginを追加することもできます。これにより、DDoS攻撃をさらに減らすことができます。

ハッカーは常にシステムを回避する新しい方法を見つけるため、100%安全なサイトはありません。そのため、WordPressサイトの完全なバックアップを常に取っておくことが非常に重要です。Duplicatorまたは他の人気のあるWordPressバックアッププラグインを使用することをお勧めします。

もしあなたがビジネスサイトをお持ちなら、ブルートフォースアタックなどに対処するファイアウォールを追加することを強くお勧めします。私たちはSucuriを使用して安全性を保証しており、万が一サイトに何かあった場合は、追加料金なしでSucuriのチームが責任を持って修正します。

サイトセキュリティのヒントについては、究極のWordPressセキュリティガイドをご覧ください。

このチュートリアルで、WordPress でログイン試行を制限する方法をご理解いただけたでしょうか。また、最適な WordPress ホスティングサービスの選び方や、サイトを成長させるために必須のプラグインを専門家が厳選したガイドもご覧ください。

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

情報開示 私たちのコンテンツは読者支援型です。これは、あなたが私たちのリンクの一部をクリックした場合、私たちはコミッションを得ることができることを意味します。 WPBeginnerの資金源 をご覧ください。3$編集プロセスをご覧ください。

Avatar

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

究極のWordPressツールキット

ツールキットへの無料アクセス - すべてのプロフェッショナルが持つべきWordPress関連製品とリソースのコレクション!

Reader Interactions

56件のコメント返信を残す

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Jiří Vaněk says

    Is there another way than a plugin? E.g. using htaccess or similar component? I have my own server and would like to have this limit on my site. However, I already have relatively enough plugins and would not like to add more. So I’m looking for a way to do it without a plugin.

  3. Linda Willis says

    Thanks so much for this very helpful article on a plugin to stop the huge number of brute force attacks our site has endured recently. I’ve just installed it, using your easy to follow step by step guide to its settings. Can’t wait to see how it works!

    Also followed the link to password managers. Thanks to your comments, I’m going to try LastPass again. We’ve been using Dashlane (free version) for a few years, but are frustrated by some of its rules. LastPass paid version sounds like a much better deal. Now to determine how to make the switch … easily!

    Thanks again!

    Linda

  4. kristyburkholder says

    Good day! This is kind of off topic but I need some advice from an established blog. Is it tough to set up your own blog? I’m not very techincal but I can figure things out pretty fast. I’m thinking about making my own but I’m not sure where to start. Do you have any tips or suggestions? With thanks

  5. Paul Gent says

    I have Limit Login Attempts (yes, I need to update to something newer) and am being attacked all the time. I have added a new user as an administrator in an attempt to be able to access my own website without having to wait. But even then I have been kicked out before I can create any posts.

    Does anyone have any advice please?

    • Shyam Chathuranga says

      Yep, you’re right. I’ve been using the Limit Login Attempts plugin for this whole time and recently, it started blocking all users instead of blocking the attacker based on his IP.

      So, I guess I’ve to say bye for that plugin and use something else now.

  6. Miguel says

    I recently installed WordFence to monitor my website security. It offers a feature for limiting login attempts. Consequently, I deactivated and deleted Limit Login Attempts Reloaded.

    However, within WP Admin> Settings, there remains Limit Login Attempts. Do you know if that is installed by default with WP and regardless, how I can get rid of it.?

    I believe that it’s overriding the settings in WordFence.

    Thanks for your time,
    Miguel

  7. erlindawva says

    Howdy this is somewhat of off topic but I was wanting to know if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding knowledge so I wanted to get advice from someone with experience. Any help would be greatly appreciated!

  8. Jorge Manuel says

    I received the ‘exceeded maximum retries’ message today – but with an absolute correct password!
    How can this be?
    I just started setting up this WP site two days ago, it has no content aside from a free theme and a title. I installed login lockdown, but it is NOT activated.
    it baffles me why there would be a BF attack on an obscure site name with barely 90 MB content…

  9. Alam Khan says

    Hi WPBginner’s Team,

    Thanks a lot for creating such a huge and useful content for WordPress users like us. I always search for solutions at your website and also get the solution every time since last 2-3 years.

    Today is the first time I am posting a comment for the above issue, I am using Limit Login Attempts plugin and it really helps me in keeping my website secure as per day I see 10-15 failed login attempts, but sometimes it is locked for 24 hours, which restrict us also. Is it possible to use Login LockDown also and block wrong attempts by IP, so that our genuine users are not blocked.

    Is it possible to use Limit Login Attempts plugin and Login LockDown plugin at the same time on the same website?

    Thanks
    Alam Khan
    Founder

  10. cheryleduryea says

    Hmm it looks like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I as well am an aspiring blog writer but I’m still new to the whole thing. Do you have any points for beginner blog writers? I’d certainly appreciate it.

  11. agustinpenny920 says

    Hi, of course this article is genuinely good and I have learned lot of things from it regarding blogging. thanks.

  12. adelaida5489 says

    With havin so much content and articles do you ever run into any issues of plagorism or copyright violation? My blog has a lot of unique content I’ve either created myself or outsourced but it seems a lot of it is popping it up all over the web without my agreement. Do you know any methods to help prevent content from being stolen? I’d certainly appreciate it.

  13. Suji says

    Hi

    Thanks 4 d article. Informative.

    Is there any option to limit the login attempts without using any plugins?

  14. YNS says

    Hi,

    With the a bundle of trusted plugins (which at the same time offer multiple other security feature), It’s no longer that hard to protect WordPress sites from attacks like login attempt.

    Those complaining about the feature not being in-built should realize the functionality extensions are meant to serve. The WordPress ecosystem is just scalable, I really like it. But need more partnership with powerful CDN provider. In countries like China, a good plugin like JetPack becomes useless because all the IPs it connects to are malicious to the Great Firewall.

    This Blog is very useful, especially when promoting successful open source WordPress projects.

  15. Brad says

    One of my sites get’s nearly 100 login attempts per month. Like many of you, I find it odd since it’s not an ecommerce site and we gather no user information. I installed Wordfence Security plugin which offers lock out options for any incorrect username as well as by IP and even entire countries.

    It also has several other defenses which have proved to be invaluable. The web isn’t safe without some sort of protection. If you any of you know of a better one, please share.

    Safe Programming!
    Brad

  16. Steve says

    No one has mentioned Jetpack, which has a module called Brute Protect. This blocks users from suspicious IP addresses automatically. It is based on a global network that can track spammers from all over the web.

  17. Pete says

    Thank you for another the tip. I use BackupBuddy and I love that it automatically runs my backups but it also enables users to easily migrate sites to other servers. Especially going from a local host to a live server.

  18. Donna says

    Its funny I get this email b/c I work up to 27 attempts at my site over night from all over the world.. I mean really what do they want I have a sewing and fashion blog? What they attempt to gain from this taking over my site and pay them?? I just changed my settings a few days ago prior to this article because I was getting quite a few hacks.. Now this am over 27 which is the most I have ever seen.

  19. Connor Rickett says

    Is that a question that really needs an answer? Because it prevents brute force hacking (or at least slows it way down).

    Why WP doesn’t come with limited login attempts out of the box, now THAT’S a question that I’d like to see a blog post addressing.

  20. Iza says

    I am using Limit Login Attempts in combination with another great safety plug-in called WP-Ban. The Limit Login Attempts plug-in sends me an e-mail after second I believe unsuccessful login attempt with the IP of the user. I paste this user into Ban plug-in and next time, the user will not be able to try log-in at all. Just another layer of security against trolls.

    • Nika says

      Limit Login Attempts hasn’t been updated in over 3 years. It’s outdated. Login LockDown has poor functionality and why it’s recommended here I don’t know.
      A few weeks ago I’ve installed WP Cerber instead.
      It looks like a strong solution. It does all the things as expected.

  21. Joris Heyndrickx says

    I think it’s time WordPress should have configurable paths so that we finally can het rid of example.com/wp-admin. I saw requests for this, 8 years ago.

  22. Jon Schear says

    I’ve used this a couple times. Brought the usual load of 50 emails an hour about lockout notifications down to 0.

    Recaptcha is another good one, but much more difficult to implement.

  23. Han Balk says

    I switched from LLA to Wordfence, because of all the extra security features it’s got.

    Every Operating System has a feature to limit login attempts. I know WordPress is a CMS and not an OS, But it is a mature CMS and the WordPress community would greatly benefit of a buitlin login limitation that’s enabled by default. A lot of WordPress sites are “vulnerable” for unlimited login attempts, because they’re not properly protected and the owners are not security aware.

    It can’t be that difficult to built in a login limitation and enable it by default in one of the forthcoming WordPress versions?

  24. Howard says

    Limit Login Attempts has not been updated in a couple of years, and has some “holes” in it. I discovered this in my logs, where I found nearly 100 “lockouts” in a 10-minute period from the same IP. The lockouts were activated after the 2nd unsuccessful attempts, and were supposed to be for 72 hours. They were coming so fast that it was an effective DoS, and required some effort to get it stopped. It’s fairly obvious that the script kiddie has bypassed the lockout. The attacks from that IP address stopped when I was finally able to add it to the deny list in .htaccess.
    .
    I still use LLA for the limited but useful information and notifications, but I don’t rely on it to keep my site secure.

  25. FranE says

    I notice this functionality on some of my sites, even though they don’t have the plugin installed. Is it included in certain themes? Maybe Genesis?

    • WPBeginner Staff says

      We are not aware of any themes including this functionality. Remember themes are not supposed to add functionality to your WordPress site. Functionality comes under plugins. May be it is something added by your web host?

  26. Grayhambo says

    There appear to be some compatibility issues with this plugin with WP 4.0, as it hasn’t been updated in over 2 years. Can lock you out of the admin panel. If this happens, then you need to disable the plugin in the usual way, using something like cPanel access.

  27. Torben Heikel Vinther says

    Sounds like a good and simple plugin, but why not use Better WP Security instead? BWS has a whole section about Limit Login Attempts AND many other security issues in one single plugin! In addition BWS was last updated 2013-8-24. Limit Login Attempts hasn’t been updated since 2012-6-1!

    • Editorial Staff says

      Torben, there are a lot of plugins that offers this functionality. Limit Login Attempts is a simple plugin that does one thing and does it real well. That’s not to say that BWS is a bad solution. It’s a very good solution (over 1 million downloads on the plugin already proves that).

      管理者

  28. ColeRuddick says

    Excellent tip! As WordPress is the most widely used platform out there now, site security should be something all users are taking seriously and this plugin is a great help. Thanks for sharing!

  29. doug_eike says

    I’ve been looking for ways to protect my blog, and your plugin suggestion looks as if it might be helpful. I’ll take a look at it. Thanks!

返信を残す

コメントありがとうございます。すべてのコメントは私たちのコメントポリシーに従ってモデレートされ、あなたのメールアドレスが公開されることはありませんのでご留意ください。名前欄にキーワードを使用しないでください。個人的で有意義な会話をしましょう。