How to Limit Login Attempts in WordPress

Ideal Ways on How to Limit Login Attempts in WordPress?

Where we regularly see news of website hacking, it’s now become highly important that you tighten the security of your WordPress site. One such ideal way is to Limit Login Attempts in WordPress.

With unethical practices like a Brute Force Attack, Credential Stuffing and etc. hackers can constantly flood login trials with dictionary attacks to take control over your websites (sites built with CMS technology or built with other technologies).  Basically, we will explain to you the need for limiting login attempts and how to do the same to boost the security of your WordPress site.

Limit Login Attempts in WordPress: The Importance of Limiting

He hackers follow a similar practice for either getting into someone’s account or their device. They do so by executing brute force attacks on the victim’s account or their device. For instance, smaller passwords can be cracked within seconds. However, for longer passwords characters, it will take a much higher time.

Additionally, you can easily find usernames on the internet but that’s not the case with passwords. The hackers need more attempts to find out the right password than a correct username. So, if there is a limit on the failed number of login attempts, the hackers won’t be able to make login attempts and as a result, you can improve WordPress security by one step.

Working of WordPress Limit Login Attempts

The threat actor can’t make login attempts with wrong passwords indefinite times when you use a plugin or firewall to curb the login trials in WordPress. The login page can’t be accessed after some wrong login trials, the hacker will have to look for another way to obtain access to your site as his account will get locked.

Once, they get fed up with the process, they will drop the idea of hacking.

Limit Login Attempts in WordPress Using Plugin

Though there are some ways to limit the login attempts without having the need for a plugin, however, that way is a little complicated. You don’t need to go through all these hectic tasks. Simply use a WordPress plugin that isn’t heavy on the resources and get your job done

Here we are using the Limit Login Attempts Reloaded plugin to restrict unnecessary login trials in WordPress. We have tried and tested several plugins, however, we found out this plugin is ideal for this task.

Limit Login Attempts Reloaded Features:

  • Max logins per IP restriction
  • Set time limit for login restriction
  • User can see how much time is left before he/she can login again
  • You receive email when the plugin find out suspicious activity
  • Plugin offers the comprehensive log of blocked trials
  • You can blacklist or whitelist the IPs and usernames

Once you have enabled the plugin, you get an option on the left navigation bar. Then, you need to Navigate to Settings >> Limit Login Attempts.

Plugins’ General Settings:

In the General Settings, you will see the GDPR Compliance field, tick mark it. Next, you will see the GDPR Message field where you can type in the message that can be seen by your visitor.

Finally, you will see Notify on Lockout field this allows you to receive notification for every unsuccessful login trial.

Plugin’s App Settings:

In the app settings section, you can find the Lockout field. In the Lockout, you need to add the max login attempts along with the time limit for account restriction on the unsuccessful attempts. Even a beginner can use this plugin to restrict the login attempts thanks to the user interface and its simple mechanism.

To view all the unsuccessful login trials, you need to check the logs. Additionally, this plugin allows you to block IP/s from the logs section if you observe any fraudulent IP is going for brute force attack. In the meantime, a blocklist will restrict the login trials from a specific IP range. On the other hand, safelist will allow you to permit the IP addresses and the usernames to be able to login indefinite times.


As 40% of total websites on the internet are powered by WordPress, it is the favorite CMS of the WordPress community is stronger than WordPress exploiters, you can secure your WordPress site by following simple security measures. Security starts from the login page and if you limit login attempts in WordPress, you are enhancing the security of the WordPress website and thereby make the job of hackers more complex.



If you need any help contact our support, Open support ticket from client area

Was this article helpful?

Related Articles