How to Limit Login Attempts in WordPress? [Should You Do It?]

WordPress is a popular platform for building websites. This popularity comes with security risks that hackers do with logging into your site. To prevent them from login to your site you can limit the login attempts on WordPress. limiting login attempts. Today, we will talk about how to limit login attempts on WordPress and why it is important. Let us jump into the details.

Understanding Limit Login Attempts in WordPress

Every time you or someone else tries to log into your WordPress site, it counts as a login attempt. If the details are correct, you get access to your site. If not, you get another chance to try again. 

Limit login attempts in WordPress means setting a limit on the number of times someone can try to log in to your WordPress site. If someone enters the wrong username or password too many times, they get locked out. This helps prevent hackers from guessing your login details.

Hackers can use something called brute force attacks to guess your password by trying different combinations. They use computer programs to make many guesses in a short time. To stop this, you need to limit login attempts in your WordPress site which we are going to discuss below. 

Why Should You Limit Login Attempts in WordPress?

Securing your WordPress site should be a top priority for any website owner. One effective method is to limit login attempts in WordPress. With this, you can safeguard your website from unauthorized access. Let us look at why limiting login attempts is necessary for your WordPress site:

Protection Against Attacks

Hackers try many different passwords until they find the right one, which is like trying every key on a keyring to unlock a door. By limiting login attempts, you prevent hackers from making numerous guesses, significantly reducing the chances of them guessing the correct password. This security measure makes it harder for them to gain unauthorized access to your site.

Enhanced Data Security

Every time someone attempts to log in, they are trying to access sensitive information stored on your site. By limiting login attempts, you add an extra layer of protection to this data. This is crucial for eCommerce sites or any website that handles personal user information, as it helps in maintaining data integrity and confidentiality.

Prevent Bot Attacks

Many login attempts are automated by bots that aim to guess passwords quickly and efficiently. By limiting login attempts, you can effectively block these bots, protecting your site from automated attacks. Preventing bot attacks not only secures your site but also improves its overall performance by reducing unnecessary traffic and resource usage.

Improved User Trust

When users know that you have robust cyber security measures in place, such as limiting login attempts, they are more likely to trust your website. This trust can lead to increased user engagement and loyalty, as visitors feel confident that their data is safe. Building this trust is essential for maintaining a positive reputation and encouraging users to interact with your site.

Reduced Risk of Account Compromise

Without limiting login attempts, hackers can keep trying to log in until they succeed, potentially compromising user accounts. By setting a limit, you reduce the risk of accounts being hacked, which can protect user data and maintain the integrity of your site. This is particularly important for websites that handle sensitive user information or provide user-specific services.

Minimized Downtime

A flood of login attempts can overwhelm your server, leading to site downtime. Limiting login attempts helps prevent this by reducing the load on your server, ensuring that your site remains accessible to genuine users. Minimizing downtime is crucial for maintaining a positive user experience and preventing potential loss of revenue or engagement.

Compliance with Security Standards

Implementing measures like limiting login attempts in WordPress helps you comply with various security standards and best practices. This compliance can be important for meeting industry regulations and maintaining the credibility of your website. Adhering to security standards not only protects your site but also demonstrates your commitment to maintaining a secure online environment.

By incorporating these practices, you can significantly enhance the security of your WordPress site, ensuring that it remains protected against unauthorized access and cyber threats. Limiting login attempts is a simple yet powerful step in building a robust defense system for your online presence.

How Many Login Attempts Should You Allow?

It is wise to set a limit for the number of login attempts. A common practice is to allow 3 to 5 attempts before blocking further tries. This gives genuine users a fair chance while keeping attackers at bay. When you limit login attempts on your WordPress site, make sure to balance between security and convenience.

Step-by-Step Guide: How to Limit Login Attempts?

WordPress limit login attempts have many ways to implement to your site, we will discuss the two most effortless ways one is using the limit login attempts plugin and the other one is using custom code to the functions.php file so that you can limit the login attempts and secure your site more.

Method 1: WordPress Limit Login Attempts Plugins 

Using plugins is the most simple and effective way to limit login attempts in WordPress. There are many plugins available to limit your login attempts on the WordPress site. We are using the Limit Login Attempts Reloaded plugin to show how you can limit login attempts. So, follow the step-by-step guide to use this plugin on your site.

Step 1: Install the Limit Login Attempts Reloaded plugin

Access your WordPress dashboard’s left-hand menu, hover over PluginsAdd New, and search for the Limit Login Attempts Reloaded plugin.

Once you find the plugin, click on the ‘Install’ button and then ‘Activate’ the plugin for your site. The plugin will activate for your site.

Step 2: Configure Plugin Settings

After activation, find the ‘Limit Login Attempts’ plugin from the navigation bar and go to ‘Settings’ of the plugin to customize the plugin settings.

Now scroll down a little bit and find the ‘Local App’ → ‘Lockout’ and set ‘allowed retries’ and ‘ minutes lockout’ as your preferences. There are many other options that you can try for your site to keep it more secure.

Step 3: Test the Plugin

Then, log out of your WordPress account and try logging in with incorrect credentials to ensure the plugin is functioning as expected.

Method 2: Using Custom Code to functions.php

The functions.php file in your WordPress theme allows you to add custom functionality to your site. By adding some custom code, you can limit login attempts.

Step 1: Access the functions.php File

You can access this file via the WordPress dashboard by going to Appearance > Theme File Editor and selecting the functions.php file. Make sure to back up the functions.php file before making any changes.

Step 2:  Add Custom Code

Add the following code to your functions.php file:

* Prevent Mass WordPress Login Attacks by setting locking the system when login fails.
* To be added in functions.php or as an external file.
if ( ! class_exists( ‘Limit_Login_Attempts’ ) ) {
    class Limit_Login_Attempts {

        var $failed_login_limit = 3;                    //Number of authentication accepted
        var $lockout_duration   = 1200;                 //Stop authentification process for 30 minutes: 60*30 = 1800
        var $transient_name     = ‘attempted_login’;    //Transient used

        public function __construct() {
            add_filter( ‘authenticate’, array( $this, ‘check_attempted_login’ ), 30, 3 );
            add_action( ‘wp_login_failed’, array( $this, ‘login_failed’ ), 10, 1 );

        * Lock login attempts of failed login limit is reached
        public function check_attempted_login( $user, $username, $password ) {
            if ( get_transient( $this->transient_name ) ) {
                $datas = get_transient( $this->transient_name );

                if ( $datas[‘tried’] >= $this->failed_login_limit ) {
                    $until = get_option( ‘_transient_timeout_’ . $this->transient_name );
                    $time = $this->when( $until );

                    //Display error message to the user when limit is reached
                    return new WP_Error( ‘too_many_tried’, sprintf( __( ‘<strong>ERROR</strong>: You have reached authentification limit, you will be able to try again in %1$s.’ ) , $time ) );

            return $user;

        * Add transient
        public function login_failed( $username ) {
            if ( get_transient( $this->transient_name ) ) {
                $datas = get_transient( $this->transient_name );

                if ( $datas[‘tried’] <= $this->failed_login_limit )
                    set_transient( $this->transient_name, $datas , $this->lockout_duration );
            } else {
                $datas = array(
                    ‘tried’     => 1
                set_transient( $this->transient_name, $datas , $this->lockout_duration );

        * Return difference between 2 given dates
        * @param  int      $time   Date as Unix timestamp
        * @return string           Return string
        private function when( $time ) {
            if ( ! $time )

            $right_now = time();

            $diff = abs( $right_now – $time );

            $second = 1;
            $minute = $second * 60;
            $hour = $minute * 60;
            $day = $hour * 24;

            if ( $diff < $minute )
                return floor( $diff / $second ) . ‘ secondes’;

            if ( $diff < $minute * 2 )
                return “about 1 minute ago”;

            if ( $diff < $hour )
                return floor( $diff / $minute ) . ‘ minutes’;

            if ( $diff < $hour * 2 )
                return ‘about 1 hour’;

            return floor( $diff / $hour ) . ‘ hours’;

//Enable it:
new Limit_Login_Attempts();

Here, you can customize the time length or the number of login attempts to access your site 

Step 3: Save Changes & Try to Exceed the Login Attempts

Now, save the changes to your functions.php file, log out from the dashboard and try to login with the wrong credentials. This code starts a session and keeps track of login attempts. If the maximum number of attempts is reached, it locks the user out for 20 minutes.

Limit Login Attempts & Protect Site From Brute Attacks

Limiting login attempts in WordPress is a simple and effective way to protect your site. It helps stop hackers, protect user data, and keep your site running smoothly. Whether you use plugins or add custom code, it is important to take steps to secure your site. By limiting login attempts on your WordPress site, you can make your site safer and more secure.

Was this blog helpful for you? To get more useful blogs like this, subscribe to our blogs and join our Facebook Community for all the latest updates. 

The post How to Limit Login Attempts in WordPress? [Should You Do It?] appeared first on WPDeveloper.

Leave a Reply

Your email address will not be published. Required fields are marked *