A common method that many hackers use to get into a WordPress dashboard is what is known as a brute force attack. Hackers use automated tools to attempt many different user name and password combinations to try and guess your administrator login credentials. With this type of attack, there are usually numerous failed login attempts within a short period of time. The best way to guard against this type of hack attempt is to restrict the number of times a user can attempt to log into the WordPress dashboard before they are locked out from the dashboard.
Fortunately, the Limit Login Attempts plugin will allow you to control how many attempts can be made and how long a user is locked out from attempting to login again. This can assist greatly in preventing brute force hacks of your WordPress site.
Install the Limit Login Attempts WordPress Plugin
If you are not already logged into your WordPress dashboard, begin by logging in.
Following the instructions in our article on Searching for and Installing WordPress Plugins, search for, install and activate the Limit Login Attempts plugin.
Configuring Limit Login Attempts WordPress Plugin
Once you have installed and activated the plugin, a menu item for Limit Login Attempts will be added to your WordPress dashboard under Settings. Click this link to be taken to the settings for this plugin.
In the settings page you will see several options with preselected default values.
As lockouts occur, you will see the statistics at the top of this page update. Once the statistics update, you will also have an option to reset the counter if you like.
By default, login attempts (retries) are limited to 4 with a 20 minute lockout. This means users can try to login 4 times and if the login fails, they will be locked out for 20 minutes. You can change any of these settings if you want to increase or decrease either the number of attempts or the lockout duration. You can also increase or decrease the number of lockouts to trigger a longer lockout time or how many hours until the retry count is reset.
Site Connection and Handle cookie login: Most users should not need to change these options from the defaults.
Notify on lockout:
Log IP: Recording the IP that attempts to login can be helpful. If you see the same IP locked out multiple times, you could add that IP to the IP deny manager in cPanel to block them from accessing your website altogether. The lockout log with the logged IP will appear at the bottom of this settings page once lockouts begin occurring. We can come back and take a look at this when we test the plugin.
Email to admin: If you like, you can select this so that a notification is sent to the WordPress administrator email address after X amount of lockouts. You can adjust X to whatever number you prefer.
Each time a login fails the user will see Error: Incorrect username or password and how many attempts are remaining. Finally, once the limit of retries has been reached, an additional message will appear ERROR: Too many failed login attempts and how many minutes the user is locked out for.
You will also see the statistics and Lockout log update if any lockouts occur.