Title here
Summary here
Limit Login Attempts
Brute force attacks are one of the most common threats to WordPress sites. Bots hammer your login page with thousands of username and password combinations, hoping to guess their way in. This module stops them cold by tracking failed attempts and locking out repeat offenders—with an escalating lockout system that gets progressively stricter for persistent attackers.
Use Cases
- Stop automated bots from attempting thousands of password combinations
- Protect admin accounts from credential stuffing attacks
- Get peace of mind knowing your login page has active protection
- Slow down attackers even if they rotate through password lists
- Block known malicious IPs with the blacklist feature
- Exempt trusted office or VPN IPs from lockout with the whitelist feature
How It Works
- Every failed login attempt is logged against the visitor’s IP address
- After reaching the allowed retries limit (default: 4 attempts), the IP gets a normal lockout (default: 20 minutes)
- After accumulating the allowed number of normal lockouts (default: 4), the IP gets a long lockout (default: 24 hours)
- The failed attempt counter resets after the valid duration (default: 12 hours) of no failures
- Successful login clears all failed attempts for that IP
- Protection covers wp-login.php, XML-RPC, REST API authentication, and Application Passwords
Protected Login Vectors
This module protects all WordPress login entry points, not just the standard login form:
- wp-login.php — The standard WordPress login page
- XML-RPC — Blocks
system.multicallabuse and tracks XML-RPC authentication failures - REST API — Monitors authentication attempts through the WordPress REST API
- Application Passwords — Protects the Application Passwords feature introduced in WordPress 5.6+
The module also suppresses WordPress’s default “Invalid username” error message hint, preventing attackers from enumerating valid usernames.
Settings
| Setting | Type | Default | Description |
|---|---|---|---|
| Allowed Retries | Number | 4 | Failed attempts allowed before lockout (1-10) |
| Lockout Duration | Number | 20 | Minutes for normal lockout (1-10080) |
| Allowed Lockouts | Number | 4 | Normal lockouts before switching to long lockout (1-10) |
| Long Duration | Number | 1440 | Minutes for long lockout — 24 hours (60-10080) |
| Valid Duration | Number | 720 | Minutes before failed attempt count resets — 12 hours (60-10080) |
| Notify Email After | Number | 3 | Send email notification after this many lockouts (0 = disabled) |
| Whitelist IPs | Textarea | (empty) | IPs that are never locked out (supports CIDR, wildcards, ranges) |
| Blacklist IPs | Textarea | (empty) | IPs that are always blocked from logging in |
| Trusted IP Origins | Select | REMOTE_ADDR | Server variable to check for client IP: REMOTE_ADDR (Direct connection), X-Forwarded-For (Reverse proxy), X-Real-IP (Nginx proxy), CF-Connecting-IP (Cloudflare) |
Finding the Settings
Navigate to Switchboard > Security > Limit Login Attempts and click the settings icon to configure the module.
What Users See
When locked out, users see this message on the login page:
“Too many failed login attempts. Please try again in X minutes.”
The countdown shows exactly how many minutes remain. Once the time expires, they can attempt to log in again normally.
Behind the Scenes
The module uses WordPress options (wp_options) to store login attempt data, lockout records, and login logs. This approach is lightweight and does not require custom database tables.
A daily cleanup cron job automatically removes old records to keep your database lean. The module also provides AJAX actions to manually unlock specific IPs, clear the login log, or reset lockout counters from the admin interface.
Recommended settings for most sites: 4 attempts with a 20-minute lockout balances security with user convenience. The escalating lockout system means persistent attackers will automatically face 24-hour lockouts after repeated attempts. If you have many users who frequently forget passwords, consider increasing allowed retries to 5-7.
IP Whitelist and Blacklist
Whitelist
Add trusted IPs that should never be locked out. This is useful for your office IP, VPN addresses, or monitoring services. Supported formats:
- Single IP:
192.168.1.100 - CIDR notation:
192.168.1.0/24 - Wildcard:
192.168.1.* - Range:
192.168.1.100-192.168.1.200
Blacklist
Add IPs that should always be blocked from logging in, regardless of whether they have failed any attempts. Supports the same formats as the whitelist.
FAQ
Will this lock out legitimate users?
Only if they enter the wrong password multiple times in a row. The default of 4 attempts is generous enough for typos but strict enough to stop bots. Legitimate users can simply wait out the lockout period.What if I get locked out of my own site?
The best preventive measure is to add your IP to the Whitelist IPs setting so you are never locked out. If you are already locked out, wait for the lockout period to expire (20 minutes for a normal lockout, or 24 hours for a long lockout), then try again. If you need immediate access, you can disable the module via FTP by renaming the module file, or use WP-CLI to clear the lockout options.Does this work with custom login URLs?
Yes. The protection hooks into WordPress’s authentication system, so it works regardless of what URL leads to the login form.What about shared IP addresses (offices, WiFi)?
This is a consideration. If multiple people share an IP and several fail to log in, they could trigger a lockout for everyone on that network. For corporate environments, consider adding the shared IP to the Whitelist IPs setting, or increase the allowed retries to 5-7.Does it protect against distributed attacks?
Each IP is tracked separately, so attacks from thousands of different IPs will not be stopped by this module alone. For sophisticated attacks, consider combining this with a firewall or security service like Cloudflare.Does it protect XML-RPC and REST API?
Yes. The module protects all login vectors: the standard wp-login.php form, XML-RPC authentication (including blockingsystem.multicall abuse), REST API authentication, and Application Passwords (WordPress 5.6+).Does it work with WooCommerce?
Yes. The module is compatible with WooCommerce’s login form and tracks failed attempts through it just like the standard WordPress login.This module tracks by IP address only. Sophisticated attackers using botnets with rotating IPs may bypass this protection. For maximum security, combine with other measures like two-factor authentication and strong password policies.
PRO
Upgrade to Pro
Get access to all 166 modules with a single license