Did you know that brute force attacks are one of the most common forms of cyber-attacks? A brute force attack is when someone continuously tries to guess your password until they get in.
Even worse, WordPress does not have built-in protection against them. By default, WordPress allows you to try an unlimited number of passwords, which makes it easier to break into websites.
Today, I will demonstrate how you can easily limit login attempts in WordPress using the Limit Login Attempts Reloaded plugin.
Why Limit WordPress Login Attempts
Since WordPress allows users to enter an unlimited amount of incorrect login credentials, there is nothing stopping the trial and error approach. However, if you are imagining a person actually typing in this information, you are sorely mistaken.
Hackers use scripts that allow them to enter login information much faster. This dramatically increases the likelihood that they will actually succeed because they get more chances in a short amount of time.
However, this has a simple solution…limit the login attempts.
While it is common for a user to forget their password or accidentally enter their information incorrectly once or twice, they certainly do not need unlimited tries.
For example, it is extremely common on banking websites to limit your login attempts to 3 because of the value of the data.
Installing Limit Login Attempts Reloaded
The Limit Login Attempts Reloaded is an extremely popular plugin with over 1 million active installs. This plugin allows you to enter the number of logins you want visitors to have. Once that number is exceeded, their IP address will be banned for a customizable amount of time.
It is simple to use, but extremely effective.
Click on Plugins and select the Add New option on the left-hand admin panel.
Search for Limit Login Attempts Reloaded in the available search box. This will pull up additional plugins that you may find helpful.
Locate the Limit Login Attempts Reloaded plugin and click on the “Install Now” button. Then, activate the plugin for use.
On the left-hand admin panel, click on Settings and select the Limit Login Attempts option. This will pull up the plugin’s settings page.
Getting Set Up
This plugin is extremely easy to set up and will take less than 5 minutes to do so.
The first option makes the plugin GDPR compliant, which I highly recommend selecting. This will ensure that this plugin will not be the reason you are not compliant with GDPR.
Note: Selecting this option does not mean your website is GDPR compliant, it just means the plugin will not violate the law.
Underneath this, you will find the various settings including the allowed retries, amount of time you are locked out, how many lockouts it takes to increase that time, and how many hours before the lockout counter is reset.
These settings will dictate exactly how the plugin functions. I recommend keeping the average visitor in mind.
The majority of websites will allow between 3 and 5 attempts before being locked out. The average amount of time for the first lockout to last is between 20 minutes and 1 hour.
Customize these settings to match your website’s needs and remember that they can be changed at any time.
Lastly, you will find some Blacklist and Whitelist text boxes. Here you can enter IP addresses or Usernames to either block or prevent them from being blocked.
For instance, you could enter your own username in the whitelist and a known bad account in the black.
Once you are satisfied with your changes, click on the “Save Options” button.
Congratulations, you have successfully limited the number of login attempts on your WordPress website.
Go A Step Further
While preventing how many attempts a hacker can take to guess a password will solve some of the problems, it won’t solve them all.
Another important point you need to consider is the strength of your passwords.
Unfortunately, regardless of how much information exists on the Internet about the danger of picking a simple password, people still choose things like, “123456.”
This is a bigger problem for unlimited login attempts. It lets a hacker load the most common passwords into a script and break into an account with ease.
Do not make it easy for hackers to guess your password. Use strong passwords to secure your website.
Hackers Always Find A New Exploit
The idea that a website is 100% secure at any time is completely ridiculous. WordPress is the most popular website building platform in the world, thus, it is the target of many hackers.
While the platform is stable and lacks major vulnerabilities, hackers can still gain access to your website, steal valuable information, and cause your hours of extra work.
Always take extra steps to ensure that your website is safe.
How easy did you find the Limit Login Attempts Reloaded plugin to use? What steps do you take to ensure that your website is properly protected?
Thanks for the great article Robert. I like the approach where you remember the devices that users log in with, so that you dont block people that have simply forgotten their password. You can also notify them when someone logs in from a new device. There’s a plugin (of course!) https://wordpress.org/plugins/guardgiant/