WordPress Security, Limit Login Attempts
In this WordPress security tutorial, how to limit login attempts, I will show you how and why you should limit login attempts to your WordPress site, and prevent hackers from guessing your WordPress admin password.
By default, WordPress allows users to try different passwords as many times as they want.
This gives hackers unlimited opportunities to hack your site using automated scripts. This is the brute-force method. Basically, different password combinations are entered until they get in.
To limit login attempts, I recommend you install and activate the, Cerber Security & Limit Login Attempts plug-in.
Why Limit Login Attempts
Why should you need to limit login attempts in WordPress? After all, WordPress is password protected.
As I stated earlier, by default, WordPress allows users to try different passwords as many times as they want.
Hackers know this and will exploit this weakness. They will use automated scripts to enter different combinations of usernames and passwords until your website cracks.
To prevent this type of attack, known as brute-force attack, you can limit the number of failed login attempts per user.
For example, you could temporarily lock a user out after three failed login attempts.
You can accomplish this by blocking their IP address for a set period. Lockout periods are flexible; you can make it 5 minutes, 5 hours or longer. It is up to you.
How to Limit Login Attempts in WordPress?
To limit login attempts in WordPress, all you need do, is install and activate the Cerber Security and Limit Login Attempts plugin.
Once activated, select the plugin’s Main Setting configuration page.
Dashboard > WP Cerber > Dashboard > Main Settings
To get started quickly, load the default recommended settings by selecting the, ‘Load default settings’, button on the right side of the page.
Then review the settings to ensure they are suitable for your site.
In particular, check the number of failed login attempts allowed per user (default 3) and the retry time period restriction (default 60 minutes).
Next, check the lockout time duration (default 60 minutes). If a user is locked out, their IP address will be blocked for this amount of time.
You might also like to consider changing the ‘Aggressive lockout’ settings, and whether the administrator should receive emails about lockouts.
There are many other features to consider, such as:
- Permit or restrict access by White IP Access list and Black IP Access List with a single IP, IP range or subnet
- Hide wp-login.php, wp-signup.php and wp-register.php from possible attacks and return 404 HTTP Error
- Create Custom login URL (rename wp-login.php)
- Stop spammers and bots: reCAPTCHA for WordPress and WooCommerce forms
I strongly suggest you explore the many settings yourself.
When you are happy with the settings, do not forget to click on the, ‘Save Changes’ button to store your changes.
Accidental (or otherwise) Lockout
There is a major problem with this type of application! What can you do if you accidentally, or otherwise, get locked out?
Well, there is a special version of the plugin called WP Cerber Reset. This version performs only one task. It will reset all WP Cerber settings to initial values (excluding Access Lists) and then deactivate itself.
If you accidently lock yourself out, you can copy the WP Cerber Reset plugin to your sites plugins folder.
- You can download wp-cerber-reset from here:
Just unzip the file and upload the extracted folder to the plugins folder of your site using any FTP client or a file manager from your hosting control panel.
Then login to your site as usual and reinstall the WP Cerber plugin again.
WordPress Security: How to Limit Login Attempts Conclusion
The first layer of protection to your WordPress site is your passwords. You should always use strong passwords on your WordPress site.
No website is 100% safe. Hackers will always find new ways to get around the system. It is crucial that you keep complete backups of your WordPress site at all times. Here is a list of the best WordPress backup plugins.
If your website is a business, I strongly recommend you add a firewall to take care of things such as brute-force and DDos attacks. For peace-of-mind, use Sucuri. They guarantee your sites safety. If anything should happen, their expert team will fix it at no-additional charge to you.
- As far as I know, no WordPress plugin is capable of protecting against DDos attacks.
Well, I hope you liked this tutorial and found it helpful. If you have any comment, corrections or items you think should be added to, How to Limit Login Attempts, please do not hesitate to let me have them in the comment box below.