Limit Login Attempts to Prevent Brute Force Attacks

zombies at gate

Many people are worried about WordPress security. The core project is secure (if updated) but that doesn’t stop people form worrying. That said, it doesn’t mean that there is no benefit from taking steps to harden the base configuration. I personally dislike most “security” plugins–they feel too big to me and the benefits they confer are small or unknown.

There is an exception though, Limit Login Attempts is a small, svelte perfect plugin. It does one single thing, and does it well. People may be scared off by it’s not having been updated in five years, but it still works perfectly for me. And I think it addresses one of the obvious ways to harden WordPress quickly.

Why the Limit Login Attempts Plugin?

Limit Login Attempts is a plugin meant to keep you secure from a “brute force” attack. This is where someone goes to your site, and tries to log-in repeatedly with variations of common passwords (or, much less commonly, things they think may be your personal password). So they’ll try “admin/password”, then “admin/123456” etc. If your real credentials happen to be in their list, and they’re are given unlimited retries, they’ll get in. That’s where Limit Login Attempts comes it–it limits them to three tries in 20 minutes. That’s good enough to slow down most bots (which are the common attackers in this case) enough that they give up and move on.

Installing and using is easy, here’s the video:

How to Secure Your WordPress Site from a Brute-Force Attack

  1. Go the the “Plugins > Add New” screen.
  2. Search for “Limit Login Attempts”.
  3. Find the plugin solely called “Limit Login Attempts” from Johan Eenfeldt.
  4. Install and activate that plugin.
  5. You’re now protected.

There at lots of variations on the Limit Login Attempts plugin, because the core one hasn’t been updated in five years. But it still works fine. If you like, you can use one of the more modern variants. They’re just more likely to try to sell you things. 🙂

5 Responses


  • Sarah says:

    Hey David,

    Great article, you might want to check out BruteGuard which is a cloud powered brute force protection plugin. It’s 100% free and creates a network of sites that protect each other in a smart way.

  • Voldemar says:

    Yikes! That plugin has not been updated for 5 years! Are you serious David? That’s ridiculous…

  • Mike says:

    You’re advertising a plugin that hasn’t been updated in 5 years to help me secure my site? That goes against literally everything I know about WordPress…

    • Fred Meyer Fred Meyer says:

      Thanks for commenting, Mike. It’s definitely true that a lack of recent updates is often a warning sign for plugins, but there are exceptions.

      The major exception is when a plugin does something very simple and hooks into a very stable piece of WordPress core. In those cases, years can pass without the plugin needing any sort of updates, because nothing about its environment is changing and because it’s already doing its very limited job perfectly. That’s the situation with Limit Login Attempts.

      If you need further convincing: It’s on 2+ million sites and has 4.5 stars in the plugin repo, including numerous recent reviews. I’m pretty sure that the Scriptaculous WordPress installer script even gives you a checkbox option to install it as its only recommended plugin. So there are indicators of trust you can use beyond just update recency.

Add a Comment

Your email address will not be published. Required fields are marked *