How to Limit Login Attempts in WordPress

How to Limit Login Attempts in WordPress

More than 70% of the most popular WordPress sites on the internet are prone to attacks. Bad news, right? Well, here is the good news: your website can be among the other 30% – if only you can follow simple WordPress security rules. You may start by limiting login attempts on your WordPress site. Here’s why. 

By default, WordPress allows a user to try as many passwords as possible when logging in. While this is convenient, a bot or human hacker can exploit this. First, they use a trial-and-error method to get your username/password combination. Then, they break into your website. It’s called a brute force attack.

How can you prevent this kind of attack? It’s easy – simply limit the number of failed login attempts in WordPress. Let’s show you how.


  1. How to limit login attempts using a plugin
  2. WordPress Limit Login Attempts Without a Plugin
  3. How to Disable Limit Login Attempts in WordPress
  4. Why should you limit login attempts?
  5. Pros and cons of limiting login attempts
  6. More WordPress security tips
  7. Conclusion

How to Limit Login Attempts Using a Plugin

The easiest way to limit login attempts in WordPress is by using the ‘Limit Login attempts Reloaded’ plugin. The plugin works by detecting bots, locking out users after several failed attempts, blocking IP addresses temporarily, and notifying you when a user is locked out.

Limit login attempts reloaded plugin

We’ll use this plugin for the following reasons:

  1. It is used actively on over 1 million websites.
  2. The plugin gets regular updates.
  3. It is tested with the latest WordPress version.
  4. Has an impressive 4.9/5 star rating.
  5. It is absolutely free.

To get started with the ‘Limit Login Attempts Reloaded’ plugin, navigate to ‘Plugins >> Add New’ on your WordPress dashboard

Adding a new plugin in WordPress

Type ‘Limit Login Attempts Reloaded’ in the search bar. Next, click the ‘Install Now’ tab right next to the plugin. 

Installing the limit login attempts reloaded plugin

After installation is complete, click ‘Activate’. Now, you have the plugin fully working. It’s time to configure it. 

To do this, go to ‘Settings >> Limit Login Attempts’.

'limit login attempts reloaded' plugin settings

This will take you to the plugin settings page. 

In the ‘General Settings’ section, you can dis/enable GDPR compliance (for data protection).  Also, you can enter the email to which notifications are sent after lockouts. 

Making general settings: limit login attempts in wordpress

In the ‘App Settings’ section, set how many login attempts are allowed before a user is locked out. You can also determine how long a user stays locked out.

App settings: limit login attempts in WordPress

The ‘Logs’ tab allows you to enter IPs and/or usernames. Any IP or username you allow can log in as many times as possible without being locked out. 

On the other hand, any IP or username you deny will be locked out permanently. This is particularly important when you notice suspicious activities coming from an IP address.

After making all settings, don’t forget to hit the ‘Save Changes’ tab.

Further settings

There you go! You have successfully limited login attempts on your WordPress site.

WordPress Limit Login Attempts Without a Plugin

If you are one of the WordPress users with a phobia for plugins, you can limit login attempts manually. But, before you take this step, do well to back up your website. You can use any of our top WordPress backup plugins. This will prevent the loss of your precious site’s content.

Once you have your most recent WordPress backup, connect to your website via FTP. Open the public_html folder (or wherever your WordPress files are). Then, navigate to wp-content >> themes.

Open your active theme’s folder and locate the function.php file. Right-click on the file and select edit. When it opens, insert the following code into the file.

Code – Limit Login Attempts in WordPress

function check_attempted_login( $user, $username, $password ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );

        if ( $datas[‘tried’] >= 3 ) {

            $until = get_option( ‘_transient_timeout_’ . ‘attempted_login’ );

            $time = time_to_go( $until );

            return new WP_Error( ‘too_many_tried’,  sprintf( __( ‘<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.’ ) , $time ) );



    return $user;


add_filter( ‘authenticate’, ‘check_attempted_login’, 30, 3 ); 

function login_failed( $username ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );


        if ( $datas[‘tried’] <= 3 )

            set_transient( ‘attempted_login’, $datas , 300 );

    } else {

        $datas = array(

            ‘tried’     => 1


        set_transient( ‘attempted_login’, $datas , 300 );



add_action( ‘wp_login_failed’, ‘login_failed’, 10, 1 ); 

function time_to_go($timestamp)


    // converting the mysql timestamp to php time

    $periods = array(









    $lengths = array(








    $current_timestamp = time();

    $difference = abs($current_timestamp – $timestamp);

    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) – 1; $i ++) {

        $difference /= $lengths[$i];


    $difference = round($difference);

    if (isset($difference)) {

        if ($difference != 1)

            $periods[$i] .= “s”;            $output = “$difference $periods[$i]”;

Finally, save changes

If you have followed the process accordingly, users with 3 failed login attempts will be locked out (for a period of time).

How to Disable Limit Login Attempts in WordPress

Since you have known how to limit login attempts in WordPress, it makes sense to learn how to disable it. 

If you have used a plugin to limit the login attempts, simply deactivate, or uninstall the plugin. But, if you used code to limit login attempts, then carefully remove the code.

If you Don’t Limit Login Attempts in WordPress, What Happens?

First, let’s discuss WP website security issues generally. 

Millions of sites have been hacked in recent years. Alarming, right? Well, as you know, there’s no smoke without fire. There is a reason why WP sites get hacked. Unupdated plugins, incorrect file permissions, poor hosting, are just a few.

Visualize the facts in this chart (based on research by wordfence).

WP security issues

Almost 60% of WP security troubles were a result of plugin vulnerability. 

Most likely, owners of the sites used questionable or nulled plugins, or they didn’t update the plugins regularly. 

Understandably, keeping your WordPress site up to date and maintaining it may be the last thing on your mind. It’s still not enough reason to expose your website. 

Our WordPress maintenance plan covers site & plugin updates, cloud backups, speed optimization, and troubleshooting errors. Subscribe to a plan and focus on growing your business.

That said, the second-largest attacks on WordPress sites were brute force attacks (16.1%). This means cybercriminals were able to break into websites by making correct username/password guesses.

When a hacker breaks into a website through this means, s/he can:

  • Take over your website.
  • Redirect your visitors to dangerous websites.
  • Deface your website.
  • Lure your visitors into downloading malware.
  • Promote illegal stuff in your name.
  • Steal customer’s information.
  • Inject malware into your site.

When any of these happens, you’ll lose reputation not just with your customers but with Search Engines. So, do everything you can to discourage hackers from logging in to your WordPress website. 

When you limit login attempts, only users who know the password for sure will gain access to your website. Another user who depends on a trial-and-error method will be locked out after a few failed login attempts.

Pros and Cons of Limiting Login Attempts in WordPress

Limiting login attempts in WordPress has its good side, but there are a few undesirable sides, too.


The major advantage of limiting login attempts is that it prevents bots and humans from breaking into your WordPress blog or site (we stated this already). This is useful even if you have a hard-to-guess password. 

Also, it prevents undue pressure on your server. When a hacker enters too many passwords on your website within a short span, the pressure on your server increases. Consequently, speed and performance suffer. You don’t want that.

Locking out a hacker temporarily is usually enough to discourage further login trials. They just move on to the next website.


Genuine users may be locked out too if they have multiple failed login attempts. This is quite inconvenient. However, you can solve this problem by whitelisting all known WordPress users, so they never get locked out. 

Secondly, the easiest method of limiting login limits involves a plugin. Although the plugin is lightweight in itself, quite a number of WordPress users frown at its use.

To solve this, you may use an alternative method by editing your theme’s function.php file.

More Security Tips

Limiting login attempts is just one part of WordPress security. There are other security tips to help you keep hackers at bay. Here are some other tips:

Use Strong Passwords

Your password is the gate to your website. If it’s weak, anyone (wanted and unwanted) can walk in with no resistance. If it’s strong, only legitimate users are likely to get in. So, as much as you can, use a strong password. We can’t stress this enough.

A study by NordPass revealed that over 2.5 million websites use ‘123456’ as passwords. And, guess what! It takes less than one second to crack it.

Your password should be a unique one consisting of numbers, special characters, and a mix of lower and upper cases. If this sounds like too much work, you can use a password generator tool to save you the stress.

Also, change your username from the default ‘admin’ to a stronger name.

Change your WordPress salts and Security keys

When you log in, WordPress stores your username and password in cookies. This means you wouldn’t have to enter your login information when next you visit. 

While this is helpful, it could open you up to security issues. To solve this, use WordPress salts and security keys. They encrypt your login information. Such that, your password does not appear in plain text but in an incomprehensible string of characters.

Now, changing the keys could give your website an extra layer of protection. See our article on  WordPress salts to learn more about their benefits and how to change them.

2-factor authentication

This is a security process in which a WordPress user is given access to a website only after providing 2 authentication factors. It is another way of preventing brute force attacks.

Once you set it up, you’ll receive a code on your phone anytime you log in.

This authentication method works well especially when it’s coupled with a rock-solid password.

Do a Regular Malware Scan

A regular scan helps to detect malware in your website before it affects your website. The easiest way to check for malware on your website is by ordering our WordPress malware scanning service. 

You should also consider using a good WordPress hosting provider and a great security plugin.

WordPress Updates

We already mentioned that the highest cause of security breaches in WordPress is plugin vulnerability. Keeping your WP core, plugins, and themes updated is key. Uninstall plugins and themes you don’t need. 

This way, you’ll not only have the latest security feature installed on your website, you’ll also save yourself unnecessary headaches. 

Avoid Nulled Plugins or Themes

Nulled WordPress themes and plugins are pirated copies of the original. They are distributed at ridiculously cheap prices or even given out for free.

When used, they can compromise your site’s security.

Use Only a Recommended WordPress Host 

WordPress has not left us in the dark. The requirements of a WordPress host are clearly spelled out.

To run your WordPress site well, a web host must support PHP version 7.4 or greater, MySQL version 5.6 or greater, or MariaDB version 10.1 or greater. It must also support HTTPS.

Using a host that lacks this requirement will expose your website to attacks. 

Not using SSL certificate

Data sent over a website with no SSL is exposed. This means data can be stolen and used for illegal purposes. An SSL certificate encrypts your data and prevents hackers from laying hands on your data. 

Weak User role practices 

WordPress has 5 user roles: Administrator, Editor, Author, Contributor, Subscriber. This means you can restrain users according to their roles. For instance, an author can write a post but cannot delete posts or add users. An editor can do nothing except edit. 

Anyone with Administrator privileges, on the other hand, has unrestricted access to edit, modify, add users, delete posts, etc.

Conclusion – WordPress Limit Login Attempts

Even though we trust WordPress developers to keep the platform secure, you still have your part to play. One of which involves putting a login attempts limit to prevent illegal access to your WordPress admin panel.

Have you tried limiting login attempts on your WordPress site? Let us know how it went in the comments below.

Please check out the rest of our blog for other WordPress tutorials.

 This post was written by Mesheal Fegor

Mesheal Fegor is a Web/WordPress Developer and technical writer. His WordPress help articles have been featured on Kinsta and other sites. Mesheal holds a master's degree in computer science. His writing focuses on technical WordPress issues, ranging from core WordPress problems, to issues with WooCommerce, and more.

Last edited by: FixRunner Team