A common method that many hackers use to get into a WordPress dashboard is what is known as a brute force attack. Hackers use automated tools to attempt many different user name and password combinations to try and guess your administrator login credentials. With this type of attack, there are usually numerous failed login attempts within a short period of time. The best way to guard against this type of hack attempt is to restrict the number of times a user can attempt to log into the WordPress dashboard before they are locked out from the dashboard.

Fortunately, the Limit Login Attempts plugin will allow you to control how many attempts can be made and how long a user is locked out from attempting to login again. This can assist greatly in preventing brute force hacks of your WordPress site.

Install the Limit Login Attempts WordPress Plugin

If you are not already logged into your WordPress dashboard, begin by logging in.
Following the instructions in our article on Searching for and Installing WordPress Plugins, search for, install and activate the Limit Login Attempts plugin.

Configuring Limit Login Attempts WordPress Plugin

Once you have installed and activated the plugin, a menu item for Limit Login Attempts will be added to your WordPress dashboard under Settings. Click this link to be taken to the settings for this plugin.

wp-limit-login-attempts

In the settings page you will see several options with preselected default values.

wp-limit-login-attempts-settings

Statistics

As lockouts occur, you will see the statistics at the top of this page update. Once the statistics update, you will also have an option to reset the counter if you like.

Options

By default, login attempts (retries) are limited to 4 with a 20 minute lockout. This means users can try to login 4 times and if the login fails, they will be locked out for 20 minutes. You can change any of these settings if you want to increase or decrease either the number of attempts or the lockout duration. You can also increase or decrease the number of lockouts to trigger a longer lockout time or how many hours until the retry count is reset.

Site Connection and Handle cookie login: Most users should not need to change these options from the defaults.

Notify on lockout:

Log IP: Recording the IP that attempts to login can be helpful. If you see the same IP locked out multiple times, you could add that IP to the IP deny manager in cPanel to block them from accessing your website altogether. The lockout log with the logged IP will appear at the bottom of this settings page once lockouts begin occurring. We can come back and take a look at this when we test the plugin.

Email to admin: If you like, you can select this so that a notification is sent to the WordPress administrator email address after X amount of lockouts. You can adjust X to whatever number you prefer.

Each time a login fails the user will see Error: Incorrect username or password and how many attempts are remaining. Finally, once the limit of retries has been reached, an additional message will appear ERROR: Too many failed login attempts and how many minutes the user is locked out for.

wp-limit-login-attempts-locked-out

You will also see the statistics and Lockout log update if any lockouts occur.

wp-limit-login-attempts-log

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Help Center:
Email Address
Optional, but our team may contact you for more information.
Did you find this article helpful?

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!

Help Center Search

Current Customers

Email: support@WebHostingHub.com Ticket: Submit a Support Ticket
Call: 877-595-4HUB (4482)
757-416-6627 (Intl.)
Chat: Click To Chat Now

Ask the Community

Get help with your questions from our community of like-minded hosting users and Web Hosting Hub Staff.

Not a Customer?

Get web hosting from a company that is here to help.