Limiting login attempts in WordPress is a critical security measure used to block brute-force attacks, where hackers or automated bots attempt to guess your admin credentials repeatedly. By default, WordPress allows unlimited login attempts, leaving your site vulnerable.
Using the highly-rated, free plugin Limit Login Attempts Reloaded, you can easily restrict failed attempts and lock out malicious IP addresses. Step 1: Install the Protection Plugin Log in to your WordPress administrative dashboard.
Navigate to Plugins > Add New on the left-hand sidebar menu. Type “Limit Login Attempts Reloaded” into the search bar.
Click Install Now next to the correct plugin, then click Activate. Step 2: Configure the Lockout Rules
Once activated, navigate to the new Limit Login Attempts tab in your dashboard sidebar and select Settings. Under the Local App section, customize the following primary rules:
Allowed Retries: Set this to 3 to 5 attempts to balance user error with security.
Lockout Minutes: Define how long a user is blocked after failing (e.g., 20 minutes).
Increase Lockout: Specify how many hours a user is blocked if they trigger multiple consecutive lockouts (e.g., 24 hours).
Reset Hours: Set the timeframe after which the login attempt count clears back to zero. Step 3: Enable Privacy and Notification Features
Check GDPR Compliance: In the general settings, toggle the GDPR Compliance box to display a notification on your login page, keeping your site compliant with privacy laws.
Set Email Alerts: Check the Notify on lockout box to receive an automatic email warning whenever an IP address is blocked after maximum failed tries.
Save Settings: Click the Save Settings button at the bottom of the page to apply the changes. Step 4: Verify the Restrictions Work
To confirm the rules are active, log out of your site and go to your login page. Deliberately enter an incorrect password once. The login screen will now display a warning text explicitly stating how many attempts you have left before being locked out. What to Do If You Lock Yourself Out
If you accidentally lock yourself out of your own dashboard, you can bypass the plugin via your hosting account:
Open your server files using an FTP client (like FileZilla) or your host’s cPanel File Manager. Navigate to the directory path: /wp-content/plugins/.
Delete or temporarily rename the folder named limit-login-attempts-reloaded.
Refresh your login page to regain access, then reinstall the plugin.
How to limit the number of login attempts on your WordPress site
Leave a Reply