Write Review

How to Limit the Number of Login Attempts to Secure Your Website from Brute Force Attacks

It's so scary when you read the millions of website get hacked every year. Many people consider that WordPress is an insecure CMS to use. To clear this, you should know that it's your duty to harden the security of your website.

You can secure your website from Brute Force Attack by limiting the login attempts. If you don't know, let me tell you that the Brute Force Attack takes places on your WordPress login page.

The hackers try to run some login credentials' combinations to enter your website. If your login page is vulnerable, your website can be easily hacked.

While reading a WordPress security guide, you may read about limiting the login attempts. What does that mean? As I have already mentioned, the hackers run the combinations to log in.

So they may try so many time. If you limit the login attempts, after the limit exceeds, the user gets blocked for a certain amount of time.

You may be wondering as if how to accomplish this. Well, WordPress has lots of plugins in its plugins' repository which can help.

Use a Security Plugin to Limit the Login Attempts

As you already know, most of the security plugins come with lots of features and limiting login attempts is quite common these days.

If you find it in your currently used security plugin then it's fine otherwise you have to use a special plugin just to enable this feature.

You should also know how this works. What does this really mean? How do the plugins block the users?

Let me explain. As you know, every internet user has an IP address while surfing the web. Whenever the plugin detects more login attempts than the limit, it blocks that IP address.

Now you may also be wondering as if the hackers can use the VPN to change the IP address and try again. Well, that's possible but most of the time, the scripts are run automatically.

It means the bots try to login to your website which don't really care to change the IP address.

If we talk about the human hackers, it can be really hard to stop them. Apart from limiting the login attempts, you can apply some other security layers to your WordPress login page.

Let me mention a few.

  • Adding a Honey Pot
  • Adding a CAPTCHA
  • Adding a security question
  • Password protecting the wp-admin directory

And now you may be wondering what's a Honey Pot. It's a hidden box which isn't visible to humans, only bots can see it.

The bots tend to fill up every login field and they check the Honey Pot which is a signal to block that IP address.

Not every security plugin has an option to accomplish limiting the login attempts so you need to use another plugin.

Use Limit Login Attempts Plugin

This is one of the best free plugins you can use. If you check it, it hasn't been updated for a long time but it still works.

If you're worried about getting your website broken then you can search for its alternatives. Let me mention a few.

  • WP Limit Login Attempts
  • Cyber Security & Antispam

The first plugin tracks the users' login attempts and blocks them by their IP Address. As I have mentioned before, it's a temporary blocking.

There is a time limit set for each IP address. To adjust the timing according to you, a premium version is required.

And if we talk about the second plugin, it protects your website from Brute Force attack from hackers as well as bots.

But if you ask the WordPress professionals, they will suggest you use the Limit Login Attempts plugin because it has been in the industry for so long and it's reliable.

After the surge in the Brute Force Attack incidents, the web hosting companies have started implementing it to their customers' website.

Although there are a few companies which have accomplished this still the companies recommend this by installing a login limit plugin by default when you install WordPress for the first time.

Is There Any other Method to Limit the Login Attempts

Unfortunately, you can't use any code to block any user temporarily. But you can permanently block an IP address. People also call it blocking the bad bots.

You may find this option in most of the security plugins or even Jetpack from WordPress.com. You just need to add the suspicious IP address and save.

No user will have the access to your website using that IP address. Now the question arises as if how are you going to find out the malicious IP address.

Well, this is a kind of tricky question.

As it's always recommended to monitor your website with a security plugin, the plugins like Wordfence, Sucuri has the feature to continuously monitor your website's login page.

You can check the login attempts history. If someone is trying more than once, you can note that IP address and add it to the blacklist.

I have the Best Solution

If you're the only one handling your website, you can add your IP address to the whitelist. It means, no one else can access your website from anywhere in the world.

It's feasible only if you work from home or even your office. You can add more than IP Addresses to the whitelist.

Whenever someone tries to login to your website, he/she will automatically get blocked because the IP address isn't whitelisted.

This can be accomplished by adding the code in the .htaccess file of your website or you can simply use this feature of your security plugin.

If you have noticed, I have mentioned using a security plugin many times. It's because not everyone can secure a website by adding the codes.

So it's important to have something which can add multiple security layers to your website. Let me mentioned the top security plugins.

  • All In One Security
  • Wordfence
  • Sucuri
  • BulletProof Security
  • iThemes Security

Depending on your requirements, you can use any. Although the premium version of Sururi is one of the best you can have. But not everyone can afford it.

I hope you can limit the login attempts and apply some other methods.


Check out the top 3 WordPress hosting services:

Was this article helpful?