If you have a standard WordPress installation on your site then chances are that you’re getting hundreds (maybe even thousands) of malicious attacks on it per month. And one of the most common forms of WordPress attacks is, in essence, quite simple – a brute force attack.
Instead of finding vulnerabilities in the core WordPress software, hackers attempting a brute force attack simply try millions of username and password combinations until they gain access to your site. They can do this because, by default, WordPress allows users to punch in their login credentials as many times as they need to.
With this in mind, in this post, we’ll show you how you can deal with potential brute force attacks by limiting automated login attempts on your WordPress login page. We’ll also run the rule over a few plugin solutions which seek to address this problem.
A Note on Automated Brute Force Attacks on the WordPress Admin
Simply put, brute force attacks are when hackers or bots try out many different username and password combinations in hopes of ultimately gaining access to your site. According to the Sucuri blog, brute force attacks are one of the leading reasons why WordPress websites are compromised.
Even though WordPress regularly releases security updates, the number of brute force attacks on the WordPress admin continues to grow. This is mainly because standard installations of WordPress allow anyone to access the login page easily and try out as many username and password combinations as they’d like.
This doesn’t mean that there is a person sitting behind a computer furiously typing away at their keyboard in hopes of landing on the correct combination. In fact, all they have to do is write an automatic script that generates millions of combinations in minutes and let it run.
Why It’s a Good Idea to Limit Automated Login Attempts
The WordPress admin is incredibly easy to access. All you have to do is append wp-admin (or wp-login.php) to your site’s URL and you’ll be redirected to the standard login page. This is what makes standard WordPress sites an easy target to brute force attacks.
One way to deal with this problem is to hide your WordPress site’s login page. If the hackers can’t access the login page, they won’t be able to gain access to the WordPress admin. And although this is a popular security measure, not everyone is in a position to implement it. Here a few reasons why:
- Membership sites. If you’re running a membership website then your users should be able to access your site’s login page easily. Hiding the WordPress login page could compromise your user base.
- E-commerce platforms. Most online stores allow users to create an account with them to simplify the checkout process and get exclusive access to promotions and reward points. If prospective customers have difficulty logging into your e-commerce site every time then they may stop buying from you.
- Online forums. Website owners who operate online forums need to make sure their users can login with ease (and stay logged in for long periods of time). And if your forum’s login page is hidden then you could risk losing both users and traffic.
Thankfully, when it comes to minimizing the number of brute force attack attempts on the WordPress admin, there’s more than one way to deal with the problem. Case in point: limiting automated login attempts.
Regardless of how many people access your WordPress site regularly, limiting automated login attempts is an elegantly simple yet super-effective way to reduce the number of attacks your site sees. The key concept behind it is simple: when a user (or bot) enters more than a pre-defined number of incorrect username and password combinations, they cannot try again for a specified period of time.
3 Free Security Plugins to Limit Automated Login Attempts on WordPress
WordPress offers a few different free plugin solutions to help you increase your site’s security and prevent hackers from attempting brute force attacks on your site. Let’s step through each solution one by one and take a closer look at their key features.
WP Limit Login Attempts
WP Limit Login Attempts is one of the most popular, free plugins out there that allow you to limit the number of login attempts made by a user and temporarily block their IP address. The plugin was designed specifically for combating brute force attacks on the WordPress admin.
The WP Limit Login Attempts plugin works by detecting bots through CAPTCHA verification that, by default, allows seven attempts.
Key Features:
- Allows site owners to track user login attempts.
- Temporarily blocks IP address of malicious user.
- Built-in CAPTCHA verification module.
Cerber Security & Limit Login Attempts
The Cerber Security & Limit Login Attempts plugin offers protection against hackers attempting brute force attacks and bots. It restricts access to malicious user agents by sorting them into two lists – Black IP Access List and the White IP Access List.
The standout feature on offer with this plugin is that it allows users to monitor intruder activity on the go and receive email, mobile, and desktop notifications.
Key Features:
- Allows users to limit automated login attempts by IP address and subnet.
- Logs all activities that are related to accessing the WordPress login page.
- Disables automatic redirecting to the WordPress login page.
Limit Login Attempts
Limit Login Attempts is a simple and straightforward plugin that does exactly what it says. It allows the site owner to define the number of allowed login attempts. When a hacker exceeds the number of allowed login attempts within a specified time, their IP address will be blocked.
Key Features:
- Allows site owners to track user login attempts.
- Blocks the IP of malicious users when they exceed the number of allowed login attempts.
- Offers support for Google reCAPTCHA.
Conclusion
There are several defensive strategies you can adopt to prevent hackers from gaining access to your WordPress admin. Protecting your site against brute force attacks is definitely a step in the right direction.
Let’s quickly recap the standout features on offer with each plugin:
- WP Limit Login Attempts allows you to track user login attempts and temporarily block malicious users by their IP addresses.
- The Cerber Security & Limit Login Attempts plugin works by protecting your site against brute force attacks generated by both hackers and bots.
- If you’re looking for a simple solution then Limit Login Attempts will help you get the job done and add an additional layer of security through Google reCAPTCHA.
Do you have any questions about how to limit automated login attempts in WordPress? Let us know by commenting below!
3 thoughts on “How to Limit Automated Login Attempts on WordPress”
Instead of IP block, how to block an existing user given correct username for specific attempts with given time but wrong password so that other user using same IP can access website using correct credentials. After that given time that block user can again try to log in of course in wordpress
I can’t see why I am getting this problem. I am the administrator but I did not install any plugin to limit logins. If there is some default time that I will be locked out does anyone know what that is? If checked the mySql database but there is no option for the limit.
Hi Patricia, the timeout will depend on the plugin being used. Some hosts will install such security plugins by default if you use their automated install features, so perhaps that’s why you have such protection on your site. Checkout what plugins are installed in the admin and you might find some clues.