WordPress Security: Limit Login Attempts Plugin Review

Limit Login Attempts WordPress logo and a gold lockProtecting your WordPress website against hackers is a serious topic. Learn how the Limit Login Attempts plugin can protect your website against hackers.

One of the most common ways hackers try to access your website is through “brute-force” or robotic attacks into your WordPress login page (brute-force definition). These robots will relentlessly attempt to guess your username and password by using exhaustive key search tactics against your encrypted data.

One of the major flaws with WordPress out-of-the-box is that by default, WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords to be brute-force attacked and cracked with ease.



Here at WebAssertive, we use a plugin called “Limit Login Attempts”. This plugin will limit the amount of attempts that can be made when trying to login. Let’s say that you’ve set the amount of login attempts to three tries. Once an attacker or bot has made three unsuccessful attempts at guessing your login information, they’ll be locked-out for a specified period of time. The login attempts and lock-out time can be adjusted within the plugins settings page as shown below.



You can find the plugin here Limit Login Attempts or search for the plugin through your WordPress dashboard. Once you’ve installed and activated the plugin you can customize the settings to fit your desired level of security. You’ll find the settings located in the “settings” section of your WordPress dashboard.



Actual image of Limit Login Attempts settings
Limit Login Attempts WordPress Plugin Settings

The settings really depend on how well you can remember your own username and password, haha… we jest. But seriously, are you the only person accessing your dashboard? or do you have multiple users logging in? you’ll probably want to loosen the system lock-down if multiple people are accessing the site. This is because there is more room for error when multiple people are trying to login.

As far as the settings are concerned, it’s really pretty simple. Just select how many login attempts you’ll allow (allowed retries), for how long an attacker will be locked-out for failing said attempts (minutes lockout), the amount of times you’ll allow someone to be locked out within a day and the extended lockout time. So, if someone has been locked out twice within 24 hours you can say… after 2 lockouts extend the lockout time to 24 hours and reset the retries after 12 hours.

The site connection setting can be left as direct connection and the handle cookie login can be checked yes. You can also customize your notification settings to be notified after a certain number of lockouts. It’s helpful to get an email notification should someone be brutally attacking your site with repeated attempts and lockouts.  This way you can be pro-active in defending your site. It happens.



Trust us, you DO NOT want your WordPress security to be breached. All your blood, sweat and tears, all your time and effort, all your hard work and all of your personal data could be compromised. Limit Login Attempts is a simple plugin that provides a powerful defensive punch against site hackers and attackers. We recommend that you use this plugin or a plugin of it’s type to limit or even eliminate brute-force attacks on your login information. Another quick and simple tip would be to change your username from the default “admin” to something more secure.

Thank you for reading our post on making your WordPress site more secure. We look forward to reading your comments below and please remember to share!


Go back to the WordPress Plugins Blog.

Go back to the WebAssertive Home Page.