Skip to content

Prevent Brute Force Attacks in WordPress with the Limit Login Attempts Plugin

If you’re interested in securing your WordPress site (and you should be!), then Limit Login Attempts is a small, efficient, perfect plugin. It does one single thing—prevent brute force attacks against your WordPress site—and does it well.

Understanding Brute Force Attacks

Limit Login Attempts is a plugin meant to keep you secure from a “brute force” attack. This is where someone goes to your site, and tries to log-in repeatedly with variations of common passwords (or, much less commonly, things they think may be your personal password). So they’ll try “admin/password”, then “admin/123456” etc. If your real credentials happen to be in their list, and they’re are given unlimited retries, they’ll get in.

How Limit Login Attempts Helps Prevent Brute Force Attacks in WordPress

So how to protect a WordPress site from brute force attacks? That’s where Limit Login Attempts comes in–it limits them to three tries in 20 minutes. That’s good enough to slow down most bots (which are the common attackers in this case) enough that they give up and move on.

Installing and using Limit Login Attempts is easy. Here’s the video:

And here’s a text guide to using the plugin:

How to Secure Your WordPress Site from Brute Force Attacks with the Limit Login Attempts Plugin

  1. Go the the “Plugins > Add New” screen.
  2. Search for “Limit Login Attempts”.
  3. Find the plugin solely called “Limit Login Attempts” from Johan Eenfeldt.
  4. If you can’t find it, then go to, download the plugin as a ZIP, and then upload it using the “Upload Plugin” button in “Plugins > Add New.”
  5. Install and activate the plugin.
  6. You’re now protected from brute force attacks against your WordPress site.

A note: There are lots of variations on the Limit Login Attempts plugin, because the core one hasn’t been updated in eight years. Don’t let this scare you—the plugin simply already does what it’s supposed to do, and doesn’t need code changes for the sake of them.

This also means that the plugin’s now difficult to find in the plugin repository, because WordPress’s plugin search tool now “hides” plugins that haven’t been recently updated, even very popular ones. You’ll probably need to go with step 4 above if you can’t make step 3 work.

Limit Login Attempts still works fine, and it’s still the plugin to go with. You can use one of the more recent variants if you like—they’re just more likely to try to sell you things. 🙂

Want to Know More About Securing Your WordPress Site?

We literally wrote the book on WordPress security. For all the security advice you need—and none you don’t—start with our free in-depth guide to securing your WordPress site:

The Complete Guide to WordPress Security

David Hayes

Most Voted
Newest Oldest
Inline Feedbacks
View all comments
February 15, 2018 1:37 am

You’re advertising a plugin that hasn’t been updated in 5 years to help me secure my site? That goes against literally everything I know about WordPress…

Fred Meyer
February 15, 2018 6:31 pm
Reply to  Mike

Thanks for commenting, Mike. It’s definitely true that a lack of recent updates is often a warning sign for plugins, but there are exceptions.

The major exception is when a plugin does something very simple and hooks into a very stable piece of WordPress core. In those cases, years can pass without the plugin needing any sort of updates, because nothing about its environment is changing and because it’s already doing its very limited job perfectly. That’s the situation with Limit Login Attempts.

If you need further convincing: It’s on 2+ million sites and has 4.5 stars in the plugin repo, including numerous recent reviews. I’m pretty sure that the Scriptaculous WordPress installer script even gives you a checkbox option to install it as its only recommended plugin. So there are indicators of trust you can use beyond just update recency.

November 11, 2017 7:29 am

Yikes! That plugin has not been updated for 5 years! Are you serious David? That’s ridiculous…

Fred Meyer
November 13, 2017 10:40 am
Reply to  Voldemar

Age is just a number. 🙂 The plugin is extremely widely used and works great – it simply hasn’t needed an update in a good bit.

November 4, 2017 8:38 am

Hey David,

Great article, you might want to check out BruteGuard which is a cloud powered brute force protection plugin. It’s 100% free and creates a network of sites that protect each other in a smart way.

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!

Most Searched Articles

Best JavaScript Libraries and Frameworks: Try These 14 in 2024

In this post, we look at the best JavaScript libraries and frameworks to try out this year. Why? Well, with JavaScript being available in every web browser, this makes it the most accessible programming language of ...

25 Best Free WordPress Themes (Responsive, Mobile-Ready, Beautiful)

If you're looking for only the best free WordPress themes in the market for this year, then you're in the right place. We have more than enough such themes for you right ...

12 Best WordPress Hosting Providers of 2024 Compared and Tested

Looking for the best WordPress hosting that you can actually afford? We did the testing for you. Here are 10+ best hosts on the market ...

Handpicked Articles

How to Make a WordPress Website: Ultimate Guide for All Users – Beginners, Intermediate, Advanced

Many people wonder how to make a WordPress website. They’ve heard about WordPress, its incredible popularity, excellent features and designs, and now they want to join the pack and build a WordPress website of their own. So, where does one get ...

How to Start an Ecommerce Business: Ultimate Guide for 2024

Is this going to be the year you learn how to start an eCommerce business from scratch? You’re certainly in the right place! This guide will give you a roadmap to getting from 0 to a fully functional eCommerce business. ...