Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Limit Login Attempts

Brute force attacks are one of the most common threats to WordPress sites. Bots hammer your login page with thousands of username and password combinations, hoping to guess their way in. This module stops them cold by tracking failed attempts and locking out repeat offenders.

Use Cases

  • Stop automated bots from attempting thousands of password combinations
  • Protect admin accounts from credential stuffing attacks
  • Get peace of mind knowing your login page has active protection
  • Slow down attackers even if they rotate through password lists

How It Works

  1. Every failed login attempt is logged against the visitor’s IP address
  2. After reaching your configured limit (default: 3 attempts), the IP is locked out
  3. Locked out users see a message telling them how long to wait
  4. Once the lockout expires, they can try again (counter resets)
  5. Successful login clears all failed attempts for that IP

Settings

SettingTypeDefaultDescription
Maximum Login AttemptsNumber3Failed attempts allowed before lockout (1-10)
Lockout DurationNumber20Minutes to lock out the IP address (1-1440)

Finding the Settings

Navigate to Switchboard → Security → Limit Login Attempts and click the settings icon to configure the module.

What Users See

When locked out, users see this message on the login page:

“Too many failed login attempts. Please try again in X minutes.”

The countdown shows exactly how many minutes remain. Once the time expires, they can attempt to log in again normally.

Behind the Scenes

The module creates a database table (wp_switchboard_login_attempts) to track:

  • IP addresses of failed login attempts
  • Number of attempts per IP
  • Lockout expiration time
  • Last attempt timestamp

A daily cleanup job automatically removes old records (30+ days) to keep your database lean.

Recommended settings for most sites: 3 attempts with a 20-minute lockout balances security with user convenience. If you have many users who frequently forget passwords, consider 5 attempts.

FAQ

Will this lock out legitimate users?Only if they enter the wrong password multiple times in a row. The default of 3 attempts is generous enough for typos but strict enough to stop bots. Legitimate users can simply wait out the lockout period.
What if I get locked out of my own site?Wait for the lockout period to expire, then try again. If you need immediate access, you can disable the module via FTP by renaming the module file, or access your database directly and clear the wp_switchboard_login_attempts table.
Does this work with custom login URLs?Yes. The protection hooks into WordPress’s authentication system, so it works regardless of what URL leads to the login form.
What about shared IP addresses (offices, WiFi)?This is a consideration. If multiple people share an IP and several fail to log in, they could trigger a lockout for everyone on that network. For corporate environments, consider a higher attempt limit (5-7).
Does it protect against distributed attacks?Each IP is tracked separately, so attacks from thousands of different IPs won’t be stopped by this module alone. For sophisticated attacks, consider combining this with a firewall or security service like Cloudflare.

This module tracks by IP address only. Sophisticated attackers using botnets with rotating IPs may bypass this protection. For maximum security, combine with other measures like two-factor authentication and strong password policies.

PRO

Get access to all 147 modules with a single license

Upgrade to Pro
Prev
Post Views Counter
Next
Public Preview for Drafts