WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Plugins» How and Why you should Limit Login Attempts in your WordPress

How and Why you should Limit Login Attempts in your WordPress

Last updated on October 5th, 2015 by Editorial Staff
374 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
How and Why you should Limit Login Attempts in your WordPress

From time to time hackers may try to break into your WordPress site by guessing your admin password. By default, WordPress allows users to try different passwords as many times as they want. This is also known as brute force attack. However, you can change this and add an extra layer of security to your WordPress site. In this article, we will show you how and why you should limit login attempts in your WordPress.

Limit login attempts in WordPress

Video Tutorial

Subscribe to WPBeginner

If you don’t like the video or need more instructions, then continue reading.

Why you need to Limit Login Attempts in WordPress?

By default, WordPress allows users to enter passwords as many times as they want. Hackers may try to exploit this by using scripts that enter different combinations until your website cracks.

To prevent this, you can limit the number of failed login attempts per user.

For example, you can say after 5 failed attempts, lock the user out temporarily.

If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.

Locked out for too many login attempts

How to Limit Login Attempts in WordPress?

First thing you need to do is install and activate the Login LockDown plugin. Upon activation, you need to visit Settings » Login LockDown page to configure the plugin settings.

Login LockDown settings

First you need to define how many login attempts can be made. After that choose how long a user will be unable to retry if they exceed the failed attempts.

You can also define the lockout period for IP range blocks. The default value is 60 minutes, you can adjust that if you need.

The plugin will allow users to keep trying different invalid usernames. Click on yes under lockout invalid usernames option to stop this.

By default, WordPress lets users know that whether they entered an invalid username or invalid password on failed logins. You can hide this by clicking yes under mask login errors option.

Don’t forget to click on the update settings button to store your changes.

Pro Tip

The first layer of protection to your WordPress sites is your passwords. You should always use strong passwords on your WordPress site. We understand that strong passwords are difficult to remember. But see our beginner’s guide which shows the best way to manage passwords for WordPress users.

If you run a multi-author WordPress site, then see how you can force strong passwords on users in WordPress.

No website is 100% safe because hackers always find new ways to get around the system. That’s why it’s crucial that you keep complete backups of your WordPress site at all times. We recommend BackupBuddy plugin. Here’s a list of the best WordPress backup plugins.

If your website is a business, then we strongly recommend that you add a firewall which takes care of the brute-force attacks and so much more. We use Sucuri which guarantees our safety and if anything happens to our site, then their team is responsible to fix it at no-additional charge.

We hope you found this article useful, and you have successfully added login attempts limit to your WordPress site. You may also want to see our list of 13 vital tips and tools to protect your WordPress admin area.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

374 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • Checklist

    Checklist: 15 Things You MUST DO Before Changing WordPress Themes

  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

55 Comments

Leave a Reply
  1. Peter Brooks says:
    Mar 23, 2020 at 6:00 am

    I wanted to install the Login Lockdown plugin but it appears that it is not compatible with the latest release of WordPress is there an alternative that is?

    Reply
    • WPBeginner Support says:
      Mar 24, 2020 at 8:34 am

      The plugin should currently still be working. If you’re worried about the not tested with your version of WordPress method then you would want to take a look at our article here: https://www.wpbeginner.com/opinion/should-you-install-plugins-not-tested-with-your-wordpress-version/

      Reply
  2. Linda Willis says:
    Apr 3, 2019 at 10:57 am

    Thanks so much for this very helpful article on a plugin to stop the huge number of brute force attacks our site has endured recently. I’ve just installed it, using your easy to follow step by step guide to its settings. Can’t wait to see how it works!

    Also followed the link to password managers. Thanks to your comments, I’m going to try LastPass again. We’ve been using Dashlane (free version) for a few years, but are frustrated by some of its rules. LastPass paid version sounds like a much better deal. Now to determine how to make the switch … easily!

    Thanks again!

    Linda

    Reply
    • WPBeginner Support says:
      Apr 4, 2019 at 11:03 am

      Glad our article and recommendations could help :)

      Reply
  3. Adil says:
    Mar 25, 2019 at 1:38 am

    The outstanding article of website security. I have used this plugin in our many websites.

    Reply
    • WPBeginner Support says:
      Mar 25, 2019 at 1:34 pm

      Thank you, glad you found the plugin helpful :)

      Reply
  4. kristyburkholder says:
    Feb 26, 2019 at 12:25 pm

    Good day! This is kind of off topic but I need some advice from an established blog. Is it tough to set up your own blog? I’m not very techincal but I can figure things out pretty fast. I’m thinking about making my own but I’m not sure where to start. Do you have any tips or suggestions? With thanks

    Reply
    • WPBeginner Support says:
      Feb 27, 2019 at 10:13 am

      It is not overly difficult to start a blog, we have a guide on how to start one here: https://www.wpbeginner.com/start-a-wordpress-blog/

      Reply
  5. Paul Gent says:
    Jul 10, 2017 at 4:53 pm

    I have Limit Login Attempts (yes, I need to update to something newer) and am being attacked all the time. I have added a new user as an administrator in an attempt to be able to access my own website without having to wait. But even then I have been kicked out before I can create any posts.

    Does anyone have any advice please?

    Reply
    • Shyam Chathuranga says:
      Jul 25, 2017 at 1:17 am

      Yep, you’re right. I’ve been using the Limit Login Attempts plugin for this whole time and recently, it started blocking all users instead of blocking the attacker based on his IP.

      So, I guess I’ve to say bye for that plugin and use something else now.

      Reply
  6. Miguel says:
    Apr 12, 2017 at 12:30 pm

    I recently installed WordFence to monitor my website security. It offers a feature for limiting login attempts. Consequently, I deactivated and deleted Limit Login Attempts Reloaded.

    However, within WP Admin> Settings, there remains Limit Login Attempts. Do you know if that is installed by default with WP and regardless, how I can get rid of it.?

    I believe that it’s overriding the settings in WordFence.

    Thanks for your time,
    Miguel

    Reply
  7. erlindawva says:
    Mar 30, 2017 at 12:54 am

    Howdy this is somewhat of off topic but I was wanting to know if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding knowledge so I wanted to get advice from someone with experience. Any help would be greatly appreciated!

    Reply
    • WPBeginner Support says:
      Mar 30, 2017 at 11:36 pm

      WordPress comes with a WYSIWYG editor. It also allows you to add HTML to write posts.

      Reply
  8. Jorge Manuel says:
    Feb 3, 2017 at 3:24 am

    I received the ‘exceeded maximum retries’ message today – but with an absolute correct password!
    How can this be?
    I just started setting up this WP site two days ago, it has no content aside from a free theme and a title. I installed login lockdown, but it is NOT activated.
    it baffles me why there would be a BF attack on an obscure site name with barely 90 MB content…

    Reply
  9. Alam Khan says:
    Nov 29, 2016 at 12:48 am

    Hi WPBginner’s Team,

    Thanks a lot for creating such a huge and useful content for WordPress users like us. I always search for solutions at your website and also get the solution every time since last 2-3 years.

    Today is the first time I am posting a comment for the above issue, I am using Limit Login Attempts plugin and it really helps me in keeping my website secure as per day I see 10-15 failed login attempts, but sometimes it is locked for 24 hours, which restrict us also. Is it possible to use Login LockDown also and block wrong attempts by IP, so that our genuine users are not blocked.

    Is it possible to use Limit Login Attempts plugin and Login LockDown plugin at the same time on the same website?

    Thanks
    Alam Khan
    Founder

    Reply
    • WPBeginner Support says:
      Nov 30, 2016 at 5:39 pm

      Hi Alam,

      We recommend using Login LockDown alone and not with limit login attempts.

      Reply
  10. cheryleduryea says:
    Sep 6, 2016 at 10:02 pm

    Hmm it looks like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I as well am an aspiring blog writer but I’m still new to the whole thing. Do you have any points for beginner blog writers? I’d certainly appreciate it.

    Reply
  11. agustinpenny920 says:
    Sep 6, 2016 at 3:20 pm

    Hi, of course this article is genuinely good and I have learned lot of things from it regarding blogging. thanks.

    Reply
  12. adelaida5489 says:
    Aug 4, 2016 at 7:45 pm

    With havin so much content and articles do you ever run into any issues of plagorism or copyright violation? My blog has a lot of unique content I’ve either created myself or outsourced but it seems a lot of it is popping it up all over the web without my agreement. Do you know any methods to help prevent content from being stolen? I’d certainly appreciate it.

    Reply
    • WPBeginner Support says:
      Aug 5, 2016 at 9:32 am

      Please see our guide on preventing blog content scraping in WordPress.

      Reply
  13. Suji says:
    May 31, 2016 at 5:54 am

    Hi

    Thanks 4 d article. Informative.

    Is there any option to limit the login attempts without using any plugins?

    Reply
  14. YNS says:
    Oct 8, 2015 at 11:00 pm

    Hi,

    With the a bundle of trusted plugins (which at the same time offer multiple other security feature), It’s no longer that hard to protect WordPress sites from attacks like login attempt.

    Those complaining about the feature not being in-built should realize the functionality extensions are meant to serve. The WordPress ecosystem is just scalable, I really like it. But need more partnership with powerful CDN provider. In countries like China, a good plugin like JetPack becomes useless because all the IPs it connects to are malicious to the Great Firewall.

    This Blog is very useful, especially when promoting successful open source WordPress projects.

    Reply
  15. Brad says:
    Oct 8, 2015 at 12:58 pm

    One of my sites get’s nearly 100 login attempts per month. Like many of you, I find it odd since it’s not an ecommerce site and we gather no user information. I installed Wordfence Security plugin which offers lock out options for any incorrect username as well as by IP and even entire countries.

    It also has several other defenses which have proved to be invaluable. The web isn’t safe without some sort of protection. If you any of you know of a better one, please share.

    Safe Programming!
    Brad

    Reply
  16. Ed Dogan says:
    Oct 6, 2015 at 8:58 pm

    I like this better
    https://www.wpbeginner.com/wp-tutorials/how-to-limit-access-by-ip-to-your-wp-login-php-file-in-wordpress/

    Reply
  17. marian chapa says:
    Oct 5, 2015 at 5:20 am

    hey.. i forgot my admin password for my website.. how can i get access to edit my site

    Reply
    • WPBeginner Support says:
      Oct 5, 2015 at 3:25 pm

      Please see our guide what to do when locked out of WordPress admin area.

      Reply
  18. Steve says:
    Oct 5, 2015 at 3:08 am

    No one has mentioned Jetpack, which has a module called Brute Protect. This blocks users from suspicious IP addresses automatically. It is based on a global network that can track spammers from all over the web.

    Reply
  19. Pete says:
    Oct 4, 2015 at 12:03 pm

    Thank you for another the tip. I use BackupBuddy and I love that it automatically runs my backups but it also enables users to easily migrate sites to other servers. Especially going from a local host to a live server.

    Reply
  20. Donna says:
    Oct 4, 2015 at 9:24 am

    Its funny I get this email b/c I work up to 27 attempts at my site over night from all over the world.. I mean really what do they want I have a sewing and fashion blog? What they attempt to gain from this taking over my site and pay them?? I just changed my settings a few days ago prior to this article because I was getting quite a few hacks.. Now this am over 27 which is the most I have ever seen.

    Reply
  21. Connor Rickett says:
    Oct 2, 2015 at 6:54 pm

    Is that a question that really needs an answer? Because it prevents brute force hacking (or at least slows it way down).

    Why WP doesn’t come with limited login attempts out of the box, now THAT’S a question that I’d like to see a blog post addressing.

    Reply
  22. Iza says:
    Oct 2, 2015 at 5:59 pm

    I am using Limit Login Attempts in combination with another great safety plug-in called WP-Ban. The Limit Login Attempts plug-in sends me an e-mail after second I believe unsuccessful login attempt with the IP of the user. I paste this user into Ban plug-in and next time, the user will not be able to try log-in at all. Just another layer of security against trolls.

    Reply
    • Nika says:
      Oct 9, 2015 at 6:17 am

      Limit Login Attempts hasn’t been updated in over 3 years. It’s outdated. Login LockDown has poor functionality and why it’s recommended here I don’t know.
      A few weeks ago I’ve installed WP Cerber instead.
      It looks like a strong solution. It does all the things as expected.

      Reply
      • WPBeginner Support says:
        Oct 9, 2015 at 9:54 pm

        We do not agree that Login Lockdown has poor functionality. It does exactly what it says. We haven’t tested WP Cerber yet so we cannot comment on that.

        Reply
  23. Joris Heyndrickx says:
    Oct 2, 2015 at 6:57 am

    I think it’s time WordPress should have configurable paths so that we finally can het rid of example.com/wp-admin. I saw requests for this, 8 years ago.

    Reply
  24. Jon Schear says:
    Jul 2, 2015 at 12:03 pm

    I’ve used this a couple times. Brought the usual load of 50 emails an hour about lockout notifications down to 0.

    Recaptcha is another good one, but much more difficult to implement.

    Reply
  25. Han Balk says:
    Dec 11, 2014 at 2:52 am

    I switched from LLA to Wordfence, because of all the extra security features it’s got.

    Every Operating System has a feature to limit login attempts. I know WordPress is a CMS and not an OS, But it is a mature CMS and the WordPress community would greatly benefit of a buitlin login limitation that’s enabled by default. A lot of WordPress sites are “vulnerable” for unlimited login attempts, because they’re not properly protected and the owners are not security aware.

    It can’t be that difficult to built in a login limitation and enable it by default in one of the forthcoming WordPress versions?

    Reply
  26. Howard says:
    Nov 27, 2014 at 9:53 am

    Limit Login Attempts has not been updated in a couple of years, and has some “holes” in it. I discovered this in my logs, where I found nearly 100 “lockouts” in a 10-minute period from the same IP. The lockouts were activated after the 2nd unsuccessful attempts, and were supposed to be for 72 hours. They were coming so fast that it was an effective DoS, and required some effort to get it stopped. It’s fairly obvious that the script kiddie has bypassed the lockout. The attacks from that IP address stopped when I was finally able to add it to the deny list in .htaccess.
    .
    I still use LLA for the limited but useful information and notifications, but I don’t rely on it to keep my site secure.

    Reply
  27. FranE says:
    Nov 23, 2014 at 10:42 pm

    I notice this functionality on some of my sites, even though they don’t have the plugin installed. Is it included in certain themes? Maybe Genesis?

    Reply
    • WPBeginner Staff says:
      Nov 25, 2014 at 5:32 pm

      We are not aware of any themes including this functionality. Remember themes are not supposed to add functionality to your WordPress site. Functionality comes under plugins. May be it is something added by your web host?

      Reply
  28. Grayhambo says:
    Oct 14, 2014 at 2:37 pm

    There appear to be some compatibility issues with this plugin with WP 4.0, as it hasn’t been updated in over 2 years. Can lock you out of the admin panel. If this happens, then you need to disable the plugin in the usual way, using something like cPanel access.

    Reply
    • Joe says:
      Nov 4, 2014 at 10:48 am

      Seems to still work fine on all 10 of my wp sites

      Reply
  29. Torben Heikel Vinther says:
    Sep 17, 2013 at 4:40 am

    Sounds like a good and simple plugin, but why not use Better WP Security instead? BWS has a whole section about Limit Login Attempts AND many other security issues in one single plugin! In addition BWS was last updated 2013-8-24. Limit Login Attempts hasn’t been updated since 2012-6-1!

    Reply
    • Editorial Staff says:
      Sep 19, 2013 at 8:57 am

      Torben, there are a lot of plugins that offers this functionality. Limit Login Attempts is a simple plugin that does one thing and does it real well. That’s not to say that BWS is a bad solution. It’s a very good solution (over 1 million downloads on the plugin already proves that).

      Reply
      • Nika says:
        Oct 9, 2015 at 6:23 am

        I’ve been using the Limit Login Attempts plugin for my sites for a while. Now this plugin is outdated. Be honest. Did you use Limit Login Attempts on your site?

        Reply
        • WPBeginner Support says:
          Oct 9, 2015 at 9:52 pm

          Since it has expired we have updated the article and replaced it with login lockdown plugin.

  30. abdelhafidcom says:
    Feb 14, 2012 at 1:31 pm

    what about login lookdown plugin ? is it useful ? should i replace with this plugin ?

    Reply
    • wpbeginner says:
      Feb 15, 2012 at 9:00 am

      @abdelhafidcom That’s also good. It does the same thing. It just hasn’t been updated in a while.

      Reply
  31. AlbertAlbs says:
    Feb 14, 2012 at 12:58 pm

    Thanks for sharing this WordPress security information.

    Reply
  32. ColeRuddick says:
    Feb 14, 2012 at 11:45 am

    Excellent tip! As WordPress is the most widely used platform out there now, site security should be something all users are taking seriously and this plugin is a great help. Thanks for sharing!

    Reply
  33. namaserajesh says:
    Feb 14, 2012 at 8:09 am

    Agree with you, Limit Login Attempts is very good plugin to protect our WordPress blog.

    Reply
  34. joeytribbiani says:
    Feb 14, 2012 at 5:13 am

    I prefer Login Lock. It is officially compatible up to version 3.3.1

    http://wordpress.org/extend/plugins/login-lock/

    Reply
    • merrittsgret says:
      Apr 4, 2012 at 4:08 pm

       @joeytribbiani Login Lock effectively blocked everyone out of my site recently.  I’m switching to Limit Login Attempts.

      Reply
    • Aqif says:
      Oct 2, 2015 at 2:09 pm

      i prefer to not consume ready:)

      Reply
  35. Alan says:
    Feb 13, 2012 at 8:13 pm

    Thanks for this!

    Reply
  36. doug_eike says:
    Feb 13, 2012 at 6:37 pm

    I’ve been looking for ways to protect my blog, and your plugin suggestion looks as if it might be helpful. I’ll take a look at it. Thanks!

    Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
TrustPulse
TrustPulse
Instantly get 15% more conversions with social proof. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2020 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2020)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2020)
    • SiteGround Reviews from 4196 Users & Our Experts (2020)
    • Bluehost Review from Real Users + Performance Stats (2020)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2020 – Step by Step Guide
Deals & Coupons (view all)
RafflePress - WordPress Giveaway and Contest Plugin
RafflePress Coupon
Get 20% off RafflePress, the best WordPress giveaway and contest plugin available in the market.
Bluehost Logo
Bluehost Coupon
Get over 69% off on Bluehost web hosting packages plus a free domain & free SSL certificate. Just $2.75/month.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).
Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress CDN by MaxCDN | WordPress Security by Sucuri.