Security is often a factor that people consider when choosing a platform to run their website on.
And I often get asked about the security of WordPress website as there are lots of rumours out there suggesting that it isn’t safe.
WordPress is a safe platform to run a website on, but if you are worried then there are many security features that you can put in place to protect your website and it’s content. I’ve already talked about the importance of backing up your WordPress website here on the blog, but today I wanted to share with you another security measure that you can easily put in place; limiting login attempts.
Hackers may attempt to gain access to your WordPress admin area by guessing your username and password; a method known as brute force attack. The good news if you can easily install a plugin which will limit the number of times someone can attempt to log into your account, and lock out anyone who exceeds the limit.
In this post I’ll show you how to limit login attempts to your WordPress using the All In One WP Security & Firewall plugin.
1 | Install the All In One WP Security & Firewall plugin
Let’s start by installing a security plugin. Hover over Plugins in the left hand menu and click Add New.
When you are on the plugins page, use the search bar to search for a plugin called All In One WP Security & Firewall. It looks a little something like this:
Click Install Now and then when the plugin has installed, click Activate.
And that’s that! The All In One WP Security & Firewall plugin is ready to use.
2 | Enable login lockdown features
After you have installed the plugin you will see a new item in the left hand WordPress menu called WP Security. Hover over this link and click on User Login.
This will take you to the User Login page. You’ll see at the top of the User Login page that there are a number of tabs. The Login Lockdown tab is selected by default which is good as this is the tab we are interested in right now!
On this page you’ll notice a section called Login Lockdown Options. The very first option in this section is “Enable Login Lockdown Feature”. You will need to tick the box next to this option to be able to use the login lockdown features.
3 | Choose your login lockdown settings
Now you have enabled the login lockdown feature, it’s time to work through the login settings. I have explained each of these settings below.
Don’t forget, when you’ve finished changing your settings, make sure you click the blue Save Settings button at the bottom of the section.
Allow Unlock Requests
If a user gets locked out, you can allow them to generate an automatic unlock request. If you want to allow users to do this, tick the box next to this setting.
Max Login Attempts
The Max Login Attempts setting allows you to set the maximum number of times that a user can try to login before they are locked out. By default this is set to 3 times.
Login Retry Time Period
As well as setting the maximum of login attempts, you can also set a login retry time period. So, if a particular IP address reaches the maximum number of failed login attempts within the time period specified, they will be locked out and unable to log in. By default this is set to 5 minutes.
Time Length of Lockout
If an IP address gets locked out, they will be locked out for a specific amount of time. You can specify what this length of time is. By default this is set to 60 minutes.
Display Generic Error Message
If you tick this box then a generic error message will be displayed on the login page when someone tries to login and it fails.
Instantly Lockout Invalid Usernames
If you tick the box next to this option then anyone who tried to login using a username that isn’t on the system will automatically be locked out.
Instantly Lockout Specific Usernames
If there are certain usernames that you want to automatically lockout as soon as someone tries to login using them, you can enter these usernames into this box. Think of it as a username black list!
This will not block out existing usernames. You should enter one username per line.
Notify By Email
If you tick the box next to this option then you will be sent an email to notify you each time someone is locked out because they’ve failed to login in. You can even specify which email address you would like these emails to be sent to.
Looking for more helpful advice?
Sign up to receive my free monthly newsletter!
On the last Friday of each month, I send out my monthly newsletter jam-packed with tips, tricks and resources to help you create and maintain the WordPress website of your dreams. And it’s completely free!
Simply enter your name and email below to sign up…