Hackers are always looking for vulnerable websites that they can compromise and use for their own nefarious means. One method that they usually employ is to try thousands upon thousands of passwords to access your site. A simple way to restrict them is to limit the number of login attempts they can make.
Limit Login Attempts
Many hackers use what is called a brute force attack. Basically, they try a predictable username (such as “admin”) and then try every password combination starting with the most common (such as “password123”). One way to increase website security is to limit the number of attempts at guessing your password. If they are stopped after a couple attempts, they generally move on looking for easier targets.
To limit the number of passwords that can be tried, I recommend using the Limit Login Attempts plugin. Once installed and activated it is very simple to use. In fact, you normally don’t need to do anything else after you activate it.
Once activated, you can view the settings for Limit Login Attempts by clicking on Settings and then Limit Login Attempts in your left WordPress menu bar.
The settings are pretty straightforward and I normally recommend leaving the defaults alone.
When someone attempts to login to your WordPress website with incorrect username and password combo, it is called a failed attempt. When someone uses the same computer to fail again, that is called a failed retry. If someone gets too many failed tries, then they are “locked out” for a certain period of time. It means that WordPress will not allow them to try to login.
Limit Login Attempts Settings
The first area of settings is the statistics. This tells you if anyone has tried multiple times to login and has been locked out as a result of that.
Under the Lockout section of Options are four fields. The first is how many retries are allowed. The default value is 4. If someone fails at 4 retry attempts to login they will be locked out. The second field is the amount of time they will be locked out for. By default it is 20 minutes.
The third field specifies what to do after the user has received multiple lockouts. By default if someone gets locked out 4 times (having to wait 20 minutes between each lockout), then the lockout time will be extended from 20 minutes to 24 hours. The fourth field determines the time span for counting lockouts for the third field. By default the time span is 12 hours, so a person (or spambot) would need to get 4 lockouts in 12 hours to then be locked out for 24 hours.
The Site connection option is how users login to your website. Normally this direct connection.
Handle cookie login allows WordPress to remember that you are logged in. Normally when you go to login to WordPress there is a checkbox asking if you want to stay logged in. Selecting “Yes” to cookie login allows that checkbox.
The last option is what to do if someone gets locked out. By default it will log their IP address (the address of their internet connection). If you would like you can also have the administrator of your blog (set in WordPress Settings) emailed after a certain number of lockouts (default is four to match the increased lockout time above).
Stopping hackers from pounding your site with thousands of passwords is a simple and effective step in keeping your WordPress website secure. You should also remember to avoid using “admin” as a username for your site since it is the most commonly tried username. If you need help with getting of the admin username, read Adding and Removing WordPress Users Tutorial.