Improve Security by Limiting Login Attempts on Your WordPress Website
Limiting the number of times a user can attempt to log in to your WordPress site helps reduce the risk of brute force attack. A brute force attack happens when an attacker tries to gain access by guessing your username and password through the process of cycling through combinations.
To help protect against brute force attacks, you want to limit the number of times any user can try to log in to your website. You can accomplish this in WordPress easily enough through the use of the Limit Login Attempts plugin. You can find this plugin in the WordPress Plugin Directory.
When you have the Limit Login Attempts plugin installed, follow these steps to configure the settings:
Click the Limit Login Attempts link in the Settings menu on your Dashboard.
The Limit Login Attempts Settings page opens in your Dashboard.
Select a configuration.
Under the Options heading, you see these four configurations:
4 allowed retries: This is the maximum number of times users are allowed to retry failed logins.
20 minutes lockout: This is the amount of time a user is prevented from retrying a login after he has reached the maximum allowed number.
4 lockouts increase lockout time to 24 hours: If a user is locked out 4 times after numerous failed login attempts, he then gets locked out for 24 hours.
12 hours until retries are reset: This is the amount of time before login retries are completely reset.
Select the Direct Connection option in the Site Connection section.
This option limits site connection to a single Internet Protocol. Alternatively, you can select this plugin to limit site connection from behind a proxy, if your users are using proxy IP’s to connect to the site.
Select Yes in the Handle Cookie Login section.
This option tells WordPress to set a cookie in the users browser for further identification. Alternatively, you can set this to No if you’re not worried about it — however, having Cookie Login Handling is a good extra security measure to have in place.
Select the Log IP option in the Notify on Lockout section.
This will notify the site administrator via email every time a user gets locked out. Alternatively, you can select the number of lockouts that will happen for a single user before it notifies the administrator via email.
Click the Change Options button at the bottom of the Limit Login Attempts Settings page.
This Limit Login Attempts Setting page refreshes with a message telling you that the plugin settings have been successfully saved.
If you are managing your own server, monitor your log in attempts to see if a malicious attacker is attempting repeated attempts to obtain passwords and usernames. Keep track of those IPs and if they repeatedly attempt to log in, add them to your server firewall to prevent them from burdening your server access points.