Limit Login Attempts & Secure Your WordPress Site

If a stranger kept knocking on your front door, time and time again, you’d probably bolt it. Or add three additional locks.

Your online home, too, deserves and needs the same protection.

Limit Login Attempts Reloaded is a popular security plugin that lets you restrict access to your login page. If someone knocks on your virtual door more than a few times, they’re kicked out. It’s a great security tool, used on over two million WordPress sites.

If you’re considering using Limit Login Attempts Reloaded or a similar plugin for your website, this guide is a must-read.

In the next few minutes, we’re going to look at why you might need this plugin, how to set it up, and what other options you have for protecting your website.

Jump on board, it’s time for a whistle-stop tour!

Illustration showing protection against attacks, with a shield icon surrounded by locks, and a download button for the plugin.

Limit Login Attempts Reloaded is the most popular WordPress plugin for capping the amount of times anyone can attempt to log in to your website. How does it work? By tracking the number of login attempts made from each IP address.

DreamHost Glossary

IP Address

An IP address is a unique numerical identifier for devices on a network. It shows where a device is located and facilitates communication between devices using network protocols.

The basic plugin is free, offering solid protection against brute force attacks — that’s when hackers try to guess your password.

The free version also offers:

Full logs of attempted logins.
Email notifications.
Protection for WooCommerce stores.
Compatibility with other security plugins, such as Wordfence.

For additional website security features, you can pay for a premium license. This is either $7.99/month for each domain or you can get a lifetime license for $299.99.

Those extra features include:

Smart IP address filtering.
Blocking IP addresses based on location.

The Internet can feel like the Wild West. If you don’t secure your site, there’s always someone ready to break in and wreak havoc.

By setting a limit on the number of failed login attempts, you can prevent people from trying to log in repeatedly. You’re much less likely to get hacked this way.

Just as importantly, those endless login attempts can overload your WordPress website and reduce performance. Restricting login attempts is a simple solution.

The Potential Downsides Of Limiting Login Attempts

It’s worth noting that limiting login attempts can cause a few headaches. For example, genuine users might find themselves locked out if they make a few typos or forget their password. This can be pretty frustrating on both ends.

Another potential issue is that limiting logins can make you more vulnerable to a Denial of Service (DoS) attack. A malicious hacker could deliberately overload your login limit from multiple IP addresses, and effectively lock out all users, including you. Scary stuff, no?

In rare cases, login limiting can cause performance issues. This usually happens when your lockout settings are too aggressive or you have a high-traffic site, so your web server has to work hard to track and block thousands of IP addresses.

Pros (security, better performance, easy solution) and cons (user lockout, performance issues) of limited login attempts.

That’s the theory all wrapped up. Now, it’s time to take some action.

Setting up the Limit Login Attempts Reloaded plugin is pretty easy. That’s partly why it’s so popular.

But just in case you find yourself a little stuck, here’s a speedy walkthrough of the process:

Head over to the dashboard of your WordPress site, and then select Plugins > Add New Plugin.

A WordPress admin dashboard showing "Plugins" from the left-side menu, and "Add New Plugin" selected.

Next, type “Limit Login Attempts Reloaded” into the search bar in the top-right and hit Enter. The plugin you want should appear as the first result.

Once you’ve located the plugin, choose Install Now.

WordPress plugin installer page, with "Limit Login Attempts Reloaded" in the search bar field, and the plugin highlighted.

When the plugin has been installed, hit Activate. Stay with us — you’re one step away from protecting your site!

Step 2: Choose Your Login Limits And Settings

If you check the left sidebar, you’ll notice that a Limit Login Attempts option has appeared.

Click on that, and then select Settings from the drop-down menu.

"Limit Login Attempts" highlighted on the WP Admin dashboard with "Settings" selected from the drop-down menu.

Let’s work our way through the General Settings first:

GDPR compliance: This option adds a small message on your login screen, informing users that you’re tracking IP addresses (a requirement under GDPR law). You can adjust the message in the box below.
Notify on lockout: With this feature, you will receive an email alert whenever someone is locked out of your site. You can choose the number of times this has to happen before you receive an email. Make sure to test that this is working.
Display/Hide options: The next four checkboxes are just about how the plugin will appear in your WordPress Admin area.

General settings with GDPR compliance, email alerts, menu options, security, warning icon, etc. highlighted.

Scroll down a little further, and you will come to the App Settings area:

Micro Cloud: In return for sharing bad IP addresses with the plugin’s developers, you can get limited access to Limit Login Attempts Reloaded’s premium features.
Local App: The settings here control how the plugin blocks logins. You can probably leave this section alone unless you have specific ideas about timing and attempts.

App Settings area showing options for "Micro Cloud," and "Lockout" and "Trusted IP Origins" under "Local App" toggle heading.

You can unlock even more settings with a Premium subscription. The plugin has a solid knowledge base to help you navigate these options.

Step 3: Monitor Login Attempts

With your protection set, you can visit Limit Login Attempts > Logs via the sidebar at any time to monitor the lockouts.

Or click on the Logs tab if you’re already in the plugin setting.

Dashboard of Limit Login Attempts Reloaded, with options to manage whitelists, blacklists, etc., and "Logs" highlighted.

You can also manually restrict a specific IP address and add it to the safelist using this area.

While Limit Login Attempts Reloaded is a great solution, it’s not the only way to protect your site from brute force attacks.

Here are some alternative options to consider:

1. Wordfence Security Plugin

Ad for the Wordfence Security plugin, offering firewall, malware scan, and login security features to secure WP websites.

Actively used by over five million sites, Wordfence Security is probably the best free all-in-one security plugin for WordPress. It provides much more than login protection, although this makes it a little resource-heavy.

Pros:

Comprehensive security features, including brute force protection.
Offers real-time global IP protection and IP intelligence.

Cons:

May overlap with other security plugins.
Can be overwhelming for beginners because of its feature-rich nature.

2. Loginizer Plugin

Ad for Loginizer plugin providing security solutions to protect WP websites from unauthorized access and malware attacks.

This freemium plugin is a like-for-like replacement for Limit Login Attempts Reloaded. It offers many of the same features and has great ratings, however it is a little resource-intensive.

Pros:

Specialized in limiting suspicious login attempts.
Offers IP blocking and password policies.

Cons:

May slow down the admin panel.

3. Editing Your .htaccess File

File directory structure of a WP installation, highlighting the .htaccess file used for URL rewriting and access control.

You won’t find a login limit option in the WordPress Admin area. The good news is that, if you’re familiar with code, you can take some control by editing your site’s .htaccess file.

For example, you can drop in the following code to limit login access to specific IP addresses. Simply replace the XXX.XXX.XXX.XXX part with the IP addresses you want to allow:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^XXX.XXX.XXX.XXX$
RewriteCond %{REMOTE_ADDR} !^XXX.XXX.XXX.XXX$
RewriteCond %{REMOTE_ADDR} !^XXX.XXX.XXX.XXX$
RewriteRule ^(.*)$ – [R=403,L]

Be really careful with this technique, though. You could easily lock yourself out of your own site!

Additionally, you should keep in mind that .htaccess is not supported for some plans that use NGINX. If this is the case for you, we recommend you contact the support team.

Login Limiting FAQs

We didn’t cover everything you wanted to know? Not so fast, there’s more right here!

What are some other ways to secure a login page?

We would recommend taking the following steps for strong login security:

What does “Maximum Login Retries” mean?

This is the maximum number of failed login attempts in WordPress allowed for each user (IP address) before they’re blocked from trying again.

How do I remove limit login attempts?

If you’re talking about the plugin, you can simply deactivate and uninstall it.

In terms of unblocking your account, check out this post by the plugin developer.

Upgrade Your Site Security

Clamping down on failed login attempts is an important step toward securing your WordPress website. The Limit Login Attempts Reloaded plugin is probably the most efficient solution overall, but the other options are worth considering.

Of course, website security is partly dependent on your hosting provider. At DreamHost, we provide all the tools you need to fortify your site — from free SSL certificates to our built-in malware remover tool. The best part is that plans start at just $2.59/month!

WordPress Hosting

Unbeatable WordPress Hosting

Reliable, lightning-fast hosting solutions specifically optimized for WordPress.

Did you enjoy this article?

Jos Velasco is a WordPress Professional Consultant at DreamHost. His responsibilities include helping with advanced WordPress cases, creating training material, and identifying trends impacting the WordPress community. In his free time, he enjoys climbing mountains, eating healthy, and watching drama movies. Follow Jos on LinkedIn: https://www.linkedin.com/in/josvelasco/

Source link

[wp-stealth-ads rows="2" mobile-rows="2"]