Limit Login Attempts to Prevent Brute Force Attacks
Many people are worried about WordPress security. The core project is secure (if updated) but that doesn’t stop people form worrying. That said, it doesn’t mean that there is no benefit from taking steps to harden the base configuration. I personally dislike most “security” plugins–they feel too big to me and the benefits they confer are small or unknown.
There is an exception though, Limit Login Attempts is a small, svelte perfect plugin. It does one single thing, and does it well. People may be scared off by it’s not having been updated in five years, but it still works perfectly for me. And I think it addresses one of the obvious ways to harden WordPress quickly.
Why the Limit Login Attempts Plugin?
Limit Login Attempts is a plugin meant to keep you secure from a “brute force” attack. This is where someone goes to your site, and tries to log-in repeatedly with variations of common passwords (or, much less commonly, things they think may be your personal password). So they’ll try “admin/password”, then “admin/123456” etc. If your real credentials happen to be in their list, and they’re are given unlimited retries, they’ll get in. That’s where Limit Login Attempts comes it–it limits them to three tries in 20 minutes. That’s good enough to slow down most bots (which are the common attackers in this case) enough that they give up and move on.
Installing and using is easy, here’s the video:
How to Secure Your WordPress Site from a Brute-Force Attack
- Go the the “Plugins > Add New” screen.
- Search for “Limit Login Attempts”.
- Find the plugin solely called “Limit Login Attempts” from Johan Eenfeldt.
- Install and activate that plugin.
- You’re now protected.
There at lots of variations on the Limit Login Attempts plugin, because the core one hasn’t been updated in five years. But it still works fine. If you like, you can use one of the more modern variants. They’re just more likely to try to sell you things. 🙂