How to Limit Login Attempts in WordPress Site

How to Limit Login Attempts in WordPress Site

Hackers are out there trying to break into your website to steal your data and take control of your site. Logging in to your website is the first thing they will be doing. Until you limit login attempts and safeguard your site, it is highly likely that your website will be hacked.

WordPress by default allows users to try logging in as many times as they want. This leaves your WordPress site vulnerable to brute force attack. Fortunately, you can limit login attempt in WordPress site. In this article today, we will know how to limit login attempt in WordPress site.

How to Limit Login Attempts in WordPress Site

Securing your WordPress site by limiting login attempts is a wonderful option. It potentially drives the brute force attackers away and protects your site from them. There are several ways you can restrict login attempts in WordPress site. You can either limit login attempts with a WordPress plugin or you can do it by writing code in your function.php file. We will show you both ways here. Our process is so detailed that even a WordPress beginner can understand and do the job successfully.

Limit Login Attempts in WordPress with a Plugin

If your search in WordPress plugin directory, you will find many plugins there. After going through reviews and detailed analysis, we have picked Limit Login Attempts Reloaded plugin. This plugin is user-friendly and does the job fine.

Now, let’s know the process with the plugin. We will do this in two simple steps.

Step 1: Install and activate the plugin

limit login attempts

You can install the plugin by going to Dashboard > Plugins > Add New then search plugin there. Once found click Install then Activate subsequently. Also, you can first download the plugin then install it by uploading there. Upload Plugin option is just next to Add Plugins on the screen after you have clicked on Plugins > Add New

Step 2: Set up Limit Login Attempts Reloaded plugin

limit login attempts

Once the plugin is installed and activated. It is time you set things up. To do that go to Settings > Limit Login Attempts. Here you can define the number of attempts, lockout time, place an email address to notify on lockout. Once done click on the Save Options button below. 

Limit Login Attempts in WordPress with Code

Yes, you can restrict WordPress login attempts in WordPress by adding custom code in function.php file. Some of you may not want to install a third-party plugin to do the job. For those who want to secure WordPress sites by limiting login attempts without installing a plugin, we have a piece of custom code for them.

function check_attempted_login( $user, $username, $password ) {
    if ( get_transient( 'attempted_login' ) ) {
        $datas = get_transient( 'attempted_login' );

        if ( $datas['tried'] >= 3 ) {
            $until = get_option( '_transient_timeout_' . 'attempted_login' );
            $time = time_to_go( $until );

            return new WP_Error( 'too_many_tried',  sprintf( __( '<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.' ) , $time ) );
        }
    }

    return $user;
}
add_filter( 'authenticate', 'check_attempted_login', 30, 3 ); 
function login_failed( $username ) {
    if ( get_transient( 'attempted_login' ) ) {
        $datas = get_transient( 'attempted_login' );
        $datas['tried']++;

        if ( $datas['tried'] <= 3 )
            set_transient( 'attempted_login', $datas , 300 );
    } else {
        $datas = array(
            'tried'     => 1
        );
        set_transient( 'attempted_login', $datas , 300 );
    }
}
add_action( 'wp_login_failed', 'login_failed', 10, 1 ); 

function time_to_go($timestamp)
{

    // converting the mysql timestamp to php time
    $periods = array(
        "second",
        "minute",
        "hour",
        "day",
        "week",
        "month",
        "year"
    );
    $lengths = array(
        "60",
        "60",
        "24",
        "7",
        "4.35",
        "12"
    );
    $current_timestamp = time();
    $difference = abs($current_timestamp - $timestamp);
    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) - 1; $i ++) {
        $difference /= $lengths[$i];
    }
    $difference = round($difference);
    if (isset($difference)) {
        if ($difference != 1)
            $periods[$i] .= "s";
            $output = "$difference $periods[$i]";
            return $output;
    }
}

Code credit: PHPPOT

Anyone upon trying to login in more than 2 times with the wrong login credential will see an error message and will be blocked for a specific period of time.

Note: Set Strong Passwords

Your website password is your first defense against any malicious attack. We recommend that you set strong passwords for your WordPress login. Strong passwords are difficult to guess. It is better if you generate passwords with WordPress default system. WordPress recommends strong passwords with different combinations. To do that, log in to your WordPress site then go to your Profile > Account Management > New Password, click on Generate Password. 

WordPress passwords


Save the generated passwords for future use. You won’t be able to remember these passwords due to its complex combination. Better you save the passwords somewhere safe for future use. You can also decide to log out from all other devices you previously logged in by clicking on the Log Out Everywhere Else button. Finally, save changes by clicking on the Update Profile button at the bottom.

Follow any of the two above ways to limit WordPress login attempts in WordPress and secure your WordPress site. Protect your site from brute force attackers by adding an extra layer of security to your login system. For more of such WordPress, tutorials visit Virfice regularly. Good luck.

Leave a Reply

Close Menu
shares

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their uses. To find out more, including how to control cookies, see here: Cookie Policy