⏲️ Estimated reading time: 3 min
Limit Login Attempts in WordPress is crucial for preventing brute-force attacks and unauthorized access. Here’s how you can do it:
1. Limit Login Attempts in WordPress Using a Security Plugin
The easiest way to limit login attempts is by using a plugin. Some of the best ones include:
a) Login LockDown
- Install and activate the Login LockDown plugin.
- Go to Settings → Login LockDown and configure the settings.
- Set the number of allowed attempts, lockout duration, and IP blocking rules.
b) Limit Login Attempts Reloaded
- Install and activate Limit Login Attempts Reloaded.
- Navigate to Settings → Limit Login Attempts.
- Adjust the max retries, lockout time, and IP listing.
c) Wordfence Security
- Install and activate Wordfence Security.
- Go to Wordfence → Firewall → Login Security.
- Enable Brute Force Protection and set the lockout rules.
2. Modify functions.php to Limit Login Attempts in WordPress (Without Plugin)
If you prefer a manual approach, add the following code to your theme’s functions.php file:
function limit_login_attempts() {
session_start();
$max_attempts = 3;
$lockout_time = 600; // 10 minutes
$ip = $_SERVER['REMOTE_ADDR'];
if (!isset($_SESSION['login_attempts'])) {
$_SESSION['login_attempts'] = [];
}
if (!isset($_SESSION['login_attempts'][$ip])) {
$_SESSION['login_attempts'][$ip] = ['count' => 0, 'last_attempt' => 0];
}
$attempts = $_SESSION['login_attempts'][$ip];
if ($attempts['count'] >= $max_attempts && time() - $attempts['last_attempt'] < $lockout_time) {
wp_die('Too many login attempts. Please try again later.');
}
add_action('wp_login_failed', function () use ($ip) {
$_SESSION['login_attempts'][$ip]['count'] += 1;
$_SESSION['login_attempts'][$ip]['last_attempt'] = time();
});
}
add_action('init', 'limit_login_attempts');
💡 This method is basic and doesn’t offer features like automatic IP unblocking.
3. Enable Cloudflare Security Rules
If you’re using Cloudflare, you can:
- Go to Firewall Rules and set a rule to challenge or block failed login attempts.
- Enable Bot Fight Mode to prevent automated brute-force attacks.
4. Modify .htaccess to Block Repeated Login Attempts in WordPress
You can use .htaccess to block repeated login attempts from specific IPs:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
🔹 Replace 123.123.123.123 with your IP address to allow access.
5. Disable XML-RPC (Another Attack Vector)
Disable xmlrpc.php (often exploited for brute-force attacks) by adding this to .htaccess:
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
Bonus Security Tips
- Use CAPTCHA: Add Google reCAPTCHA using a plugin like “reCaptcha by BestWebSoft.”
- Enable Two-Factor Authentication (2FA): Use a plugin like “Google Authenticator.”
- Rename wp-login.php: Change the default login URL using the “WPS Hide Login” plugin.
- Use Strong Passwords: Ensure all admin users have strong passwords.
Final Thoughts
For most users, a plugin like Limit Login Attempts Reloaded or Wordfence is the easiest and most effective solution. If you’re comfortable editing files, using .htaccess and functions.php can offer lightweight alternatives.
Would you like help setting up any of these methods? 🚀
Only logged-in users can submit reports.
Discover more from HelpZone
Subscribe to get the latest posts sent to your email.
