Looking for something?

How to limit login attempts to your WordPress admin area

Security is often a factor that people consider when choosing a platform to run their website on.

And I often get asked about the security of WordPress website as there are lots of rumours out there suggesting that it isn’t safe.

WordPress is a safe platform to run a website on, but if you are worried then there are many security features that you can put in place to protect your website and it’s content. I’ve already talked about the importance of backing up your WordPress website here on the blog, but today I wanted to share with you another security measure that you can easily put in place; limiting login attempts.

Hackers may attempt to gain access to your WordPress admin area by guessing your username and password; a method known as brute force attack. The good news if you can easily install a plugin which will limit the number of times someone can attempt to log into your account, and lock out anyone who exceeds the limit.

In this post I’ll show you how to limit login attempts to your WordPress using the All In One WP Security & Firewall plugin.


1 | Install the All In One WP Security & Firewall plugin

Let’s start by installing a security plugin. Hover over Plugins in the left hand menu and click Add New.

Add new plugin in WordPress | HollyPryce.com

When you are on the plugins page, use the search bar to search for a plugin called All In One WP Security & Firewall. It looks a little something like this:

All In One WP Security & Firewall plugin | HollyPryce.com

Click Install Now and then when the plugin has installed, click Activate.

And that’s that! The All In One WP Security & Firewall plugin is ready to use.

2 | Enable login lockdown features

After you have installed the plugin you will see a new item in the left hand WordPress menu called WP Security. Hover over this link and click on User Login.

WP Security User Login | HollyPryce.com

This will take you to the User Login page. You’ll see at the top of the User Login page that there are a number of tabs. The Login Lockdown tab is selected by default which is good as this is the tab we are interested in right now!

On this page you’ll notice a section called Login Lockdown Options. The very first option in this section is “Enable Login Lockdown Feature”. You will need to tick the box next to this option to be able to use the login lockdown features.

Login lockdown options | HollyPryce.com

3 | Choose your login lockdown settings

Now you have enabled the login lockdown feature, it’s time to work through the login settings. I have explained each of these settings below.

Don’t forget, when you’ve finished changing your settings, make sure you click the blue Save Settings button at the bottom of the section.

Allow Unlock Requests

If a user gets locked out, you can allow them to generate an automatic unlock request. If you want to allow users to do this, tick the box next to this setting.

Login lockdown options | HollyPryce.com

Max Login Attempts

The Max Login Attempts setting allows you to set the maximum number of times that a user can try to login before they are locked out. By default this is set to 3 times.

Login lockdown options | HollyPryce.com

Login Retry Time Period

As well as setting the maximum of login attempts, you can also set a login retry time period. So, if a particular IP address reaches the maximum number of failed login attempts within the time period specified, they will be locked out and unable to log in. By default this is set to 5 minutes.

Login lockdown options | HollyPryce.com

Time Length of Lockout

If an IP address gets locked out, they will be locked out for a specific amount of time. You can specify what this length of time is. By default this is set to 60 minutes.

Login lockdown options | HollyPryce.com

Display Generic Error Message

If you tick this box then a generic error message will be displayed on the login page when someone tries to login and it fails.

Login lockdown options | HollyPryce.com

Instantly Lockout Invalid Usernames

If you tick the box next to this option then anyone who tried to login using a username that isn’t on the system will automatically be locked out.

Login lockdown options | HollyPryce.com

Instantly Lockout Specific Usernames

If there are certain usernames that you want to automatically lockout as soon as someone tries to login using them, you can enter these usernames into this box. Think of it as a username black list!

Login lockdown options | HollyPryce.com

This will not block out existing usernames. You should enter one username per line.

Notify By Email

If you tick the box next to this option then you will be sent an email to notify you each time someone is locked out because they’ve failed to login in. You can even specify which email address you would like these emails to be sent to.

Login lockdown options | HollyPryce.com


Looking for more helpful advice?

Sign up to receive my free monthly newsletter!

On the last Friday of each month, I send out my monthly newsletter jam-packed with tips, tricks and resources to help you create and maintain the WordPress website of your dreams. And it’s completely free!

Simply enter your name and email below to sign up…


.

 

You can unsubscribe at any time by clicking the link in the footer of my emails, and I promise never to send you any spam. For more information check out my privacy policy here.


How to limit login attempts to your WordPress admin area | HollyPryce.com


Comments

  1. Susanne says:

    I used this before but have switched to Shield because it blocks the ability to find WP usernames by scanning a site for user id. Do you know if All in one can do that now (I haven’t used it in a long time)? I liked All in one otherwise.

    • Holly Pryce says:

      I don’t think All In One has that feature sadly. I will have to look into Shield. This sounds like a great feature!

Leave a comment

Comment

* = Required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.