Prevent Brute Force Attacks in WordPress with the Limit Login Attempts Plugin
If you’re interested in securing your WordPress site (and you should be!), then Limit Login Attempts is a small, efficient, perfect plugin. It does one single thing—prevent brute force attacks against your WordPress site—and does it well.
Understanding Brute Force Attacks
Limit Login Attempts is a plugin meant to keep you secure from a “brute force” attack. This is where someone goes to your site, and tries to log-in repeatedly with variations of common passwords (or, much less commonly, things they think may be your personal password). So they’ll try “admin/password”, then “admin/123456” etc. If your real credentials happen to be in their list, and they’re are given unlimited retries, they’ll get in.
How Limit Login Attempts Helps Prevent Brute Force Attacks in WordPress
So how to protect a WordPress site from brute force attacks? That’s where Limit Login Attempts comes in–it limits them to three tries in 20 minutes. That’s good enough to slow down most bots (which are the common attackers in this case) enough that they give up and move on.
Installing and using Limit Login Attempts is easy. Here’s the video:
And here’s a text guide to using the plugin:
How to Secure Your WordPress Site from Brute Force Attacks with the Limit Login Attempts Plugin
- Go the the “Plugins > Add New” screen.
- Search for “Limit Login Attempts”.
- Find the plugin solely called “Limit Login Attempts” from Johan Eenfeldt.
- If you can’t find it, then go to https://wordpress.org/plugins/limit-login-attempts/, download the plugin as a ZIP, and then upload it using the “Upload Plugin” button in “Plugins > Add New.”
- Install and activate the plugin.
- You’re now protected from brute force attacks against your WordPress site.
A note: There are lots of variations on the Limit Login Attempts plugin, because the core one hasn’t been updated in eight years. Don’t let this scare you—the plugin simply already does what it’s supposed to do, and doesn’t need code changes for the sake of them.
This also means that the plugin’s now difficult to find in the plugin repository, because WordPress’s plugin search tool now “hides” plugins that haven’t been recently updated, even very popular ones. You’ll probably need to go with step 4 above if you can’t make step 3 work.
Limit Login Attempts still works fine, and it’s still the plugin to go with. You can use one of the more recent variants if you like—they’re just more likely to try to sell you things. 🙂
Want to Know More About Securing Your WordPress Site?
We literally wrote the book on WordPress security. For all the security advice you need—and none you don’t—start with our free in-depth guide to securing your WordPress site: