Brute-force is one the most common cyber attack forms. It is a technique where an attacker tries to log in to a website using a combination of username and password randomly. The attacker will try different combinations of usernames and passwords until they get the match one. To reduce the risk of brute-force attacks, you can limit the login attempts on your site. In WordPress, there are a bunch of security plugins that offer a feature to limit login attempts. One of which Limit Login Attempts Reloaded. This article will show you how to use the plugin to limit login attempts on your WordPress site.
In addition to limiting login attempts, you can also add reCAPTCHA to your WordPress login page to add an extra protection layer. If you are looking for a plugin that allows you to both add reCAPTCHA to the login page and limit login attempts, you can give Cerber Security a try (it can be used for free). Limit Login Attempts Reloaded is designed specifically to limit login attempts. It has no feature to add reCAPTCHA.
How to limit login attempts in WordPress using Limit Login Attempts Reloaded
First and foremost, you need to install and activate the Limit Login Attempts Reloaded plugin on your WordPress site before being able to use it. If you are new to WordPress, you can read our previous article to learn how to use install a WordPress plugin. Once the plugin is installed and activated, go to Settings -> Limit Login Attempts on your WordPress dashboard. Under the Settings tab, scroll down to the App Settings block. On the Lockout section, set the maximum of login attempts you want to allow on the allowed retries option. On the minutes lockout option, you can set the duration of the lockout after a user is blocked.
There are two other options you can set. On the lockouts increase lockout time to option, you can increase the lockout duration when users attempt to re-login after they get locked out. While on the hours until retries are reset option, you can set the duration (in hour) until retries are reset.
If everything went well, you will get a notification about the remaining login attempts if you failed to login on your first attempt.
If you want to exclude your IP address, you can go to the Logs tab on the Limit Login Attempts Reloaded settings page (Settings -> Limit Login Attempts Reloaded). Paste your IP address to the IP address column on the Safelist section. You can also add more IP addresses by adding them per line.
If you have IP addresses to be blocked, you can add them to the IP address column on the Blocklist section. Just don’t forget to click the Save Changes button after you add IP addresses.