WordPress by default allows unlimited login attempts. This allows passwords to be cracked via brute-force relatively easily. Using the Limit Login Attempts Reloaded plugin, you can set the number of times a user can attempt to log in before blocking them from making further login attempts.
Though WordPress is a secure platform, this doesn’t make your site immune to break-ins. By installing Limit Login Attempts Reloaded plugin, you can protect your websites login form from being brute forced.
You can download the Limit Login Attempts Reloaded plugin from WordPress repository.
Features
- Limit the number of retry attempts when logging in. You can configure the limit settings per each IP address.
- Informs the user about the remaining retries or lockout time on the login page.
- Optional logging and optional email notification.
- It is possible to whitelist/blacklist IPs and Usernames.
- WooCommerce login page protection.
- Sucuri Website Firewall compatibility.
- XMLRPC gateway protection.
- Multi-site compatibility with extra MU settings.
- Custom IP origins support (Cloudflare, Sucuri, etc.)
- GDPR compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed).
- Supports multiple languages.
Conclusion
- Brute force attacks are a common attack vector for hackers, and WordPress sites are often easy targets.
- To prevent hackers and bots from brute-forcing your login form, you can install and configure Limit Login Attempts Reloaded plugin.