Skip to content

Prevent Brute Force Attacks in WordPress with the Limit Login Attempts Plugin

If you’re interested in securing your WordPress site (and you should be!), then Limit Login Attempts is a small, efficient, perfect plugin. It does one single thing—prevent brute force attacks against your WordPress site—and does it well.

Understanding Brute Force Attacks

Limit Login Attempts is a plugin meant to keep you secure from a “brute force” attack. This is where someone goes to your site, and tries to log-in repeatedly with variations of common passwords (or, much less commonly, things they think may be your personal password). So they’ll try “admin/password”, then “admin/123456” etc. If your real credentials happen to be in their list, and they’re are given unlimited retries, they’ll get in.

How Limit Login Attempts Helps Prevent Brute Force Attacks in WordPress

So how to protect a WordPress site from brute force attacks? That’s where Limit Login Attempts comes in–it limits them to three tries in 20 minutes. That’s good enough to slow down most bots (which are the common attackers in this case) enough that they give up and move on.

Installing and using Limit Login Attempts is easy. Here’s the video:

And here’s a text guide to using the plugin:

How to Secure Your WordPress Site from Brute Force Attacks with the Limit Login Attempts Plugin

  1. Go the the “Plugins > Add New” screen.
  2. Search for “Limit Login Attempts”.
  3. Find the plugin solely called “Limit Login Attempts” from Johan Eenfeldt.
  4. If you can’t find it, then go to https://wordpress.org/plugins/limit-login-attempts/, download the plugin as a ZIP, and then upload it using the “Upload Plugin” button in “Plugins > Add New.”
  5. Install and activate the plugin.
  6. You’re now protected from brute force attacks against your WordPress site.

A note: There are lots of variations on the Limit Login Attempts plugin, because the core one hasn’t been updated in eight years. Don’t let this scare you—the plugin simply already does what it’s supposed to do, and doesn’t need code changes for the sake of them.

This also means that the plugin’s now difficult to find in the plugin repository, because WordPress’s plugin search tool now “hides” plugins that haven’t been recently updated, even very popular ones. You’ll probably need to go with step 4 above if you can’t make step 3 work.

Limit Login Attempts still works fine, and it’s still the plugin to go with. You can use one of the more recent variants if you like—they’re just more likely to try to sell you things. 🙂

Want to Know More About Securing Your WordPress Site?

We literally wrote the book on WordPress security. For all the security advice you need—and none you don’t—start with our free in-depth guide to securing your WordPress site:

The Complete Guide to WordPress Security

Yay! 🎉 You made it to the end of the article!
David Hayes
Share:

5 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Mike
February 15, 2018 1:37 am

You’re advertising a plugin that hasn’t been updated in 5 years to help me secure my site? That goes against literally everything I know about WordPress…

Fred Meyer
February 15, 2018 6:31 pm
Reply to  Mike

Thanks for commenting, Mike. It’s definitely true that a lack of recent updates is often a warning sign for plugins, but there are exceptions.

The major exception is when a plugin does something very simple and hooks into a very stable piece of WordPress core. In those cases, years can pass without the plugin needing any sort of updates, because nothing about its environment is changing and because it’s already doing its very limited job perfectly. That’s the situation with Limit Login Attempts.

If you need further convincing: It’s on 2+ million sites and has 4.5 stars in the plugin repo, including numerous recent reviews. I’m pretty sure that the Scriptaculous WordPress installer script even gives you a checkbox option to install it as its only recommended plugin. So there are indicators of trust you can use beyond just update recency.

Voldemar
November 11, 2017 7:29 am

Yikes! That plugin has not been updated for 5 years! Are you serious David? That’s ridiculous…

Fred Meyer
November 13, 2017 10:40 am
Reply to  Voldemar

Age is just a number. 🙂 The plugin is extremely widely used and works great – it simply hasn’t needed an update in a good bit.

Sarah
November 4, 2017 8:38 am

Hey David,

Great article, you might want to check out BruteGuard which is a cloud powered brute force protection plugin. It’s 100% free and creates a network of sites that protect each other in a smart way.

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!