Hackers are continuously trying to guess your WordPress password to breach your website.
By default, WordPress users can try different passwords without any limitations. This type of attack is known as brute force. In this article, we offer you a way to limit WordPress login attempts and higher your site's security wall.
What is Login Lockdown? Why Limit Login Attempts in WordPress?
WordPress is the most popular CMS in the world. Around 30% of websites in the world run on WordPress.
The common assumption is that WordPress has the lowest security. This assumption is wrong. It’s totally the opposite. WordPress is a great solution to keep your website secure. Since this CMS is open-source, a lot of developers are working on it to fix any existing bugs and security breaches.
If you use WordPress correctly, then you shouldn’t worry about any security issues.
Although, you can use security plugins to increase your website’s security. Login LockDown is one popular plugin in the WordPress community. This plugin adds an extra layer of security to your WordPress website to prevent hackers from breaching your website.
Is Your Site Vulnerable to Brute Force Attacks?
Hackers use many techniques to hack a website. Brute force is one of these techniques.
Brute force is an attack where a hacker tries to gain access to your WordPress dashboard by guessing different passwords in your login page. Usually, hackers use software to simplify this process.
Brute force is one reason you should change the default password given to you by WordPress. Brute force attack begins by trying out 12345 or qwerty passwords in the login page. Then proceeds to more complex formations. Unfortunately, a lot of WordPress users still use simple passwords.
How to Limit Login Attempts and Enable Login Lockdown in WordPress?
Limiting WordPress login attempts can be done by using the Login LockDown plugin. This plugin gathers information from your users IP and sends you a status report.
If in a short period of time a user with the same IP enters wrong passwords multiple times, Login LockDown blocks the user from accessing your website. However, this plugin blocks the IP for a temporary period.
Configuring Login LockDown
You can install Login LockDown by going to Plugins and Add New. Then search for the plugin and install it.
After installing and activating Login LockDown, from your WordPress dashboard hover over Settings and click on Login LockDown.
By default, this plugin detects any IP that fails to enter the correct password 3 times in a row in a 5-minute timeframe and blocks them for 60 minutes.
However, these times are customizable. In the Max Login Retries section, you can define the login attempts. In the Retry Time Period Restriction section, you can increase or decrease the 5-minute timeframe.
The plugin does nothing when someone tries to login with an invalid username. However, you can change this setting in the Lockout Invalid Username section.
If you use the admin username and enter an incorrect password, you get the following message:
ERROR: The password you entered for the username admin is incorrect
This message is as useful to you as it is to hackers. In the Mask Login Errors section, you can define to deactivate incorrect password guidance.
Finally, in the login page, a message is displayed informing your WordPress users that you are using this plugin. You can disable this message in the settings.
How to Unlock WordPress Accounts with Login LockDown
Let us talk about unlocking a locked WordPress account. Keep in mind, the unlocking method changes depending on the plugin you are using for this process. But most plugins have an unlock system.
First method: Manually unlock an account
From WordPress dashboard hover over to Settings and click on Login LockDown. In the opened window, click on the Activity tab. The number you see is the number of locked accounts.
In this section, you can see a list of locked accounts. By selecting any IP and clicking on Release Selected you can unlock the locked account.
This is the simplest method. In some cases, you may be forced to use cPanel to unlock accounts. If you have access to your cPanel, you can use the second method.
Second method: cPanel
Your credentials will be given to you by your hosting provider. In this method, you need to have the locked account’s IP.
However, make sure you get a backup of your entire website, in case you enter the wrong code and break the site.
Go to cPanel and click on phpMyAdmin. Then click on the SQL tab. Now copy and paste the code below:
update wp_lockdowns set release_date=”Year-Month-Day Time” where lockdown_IP=”<IP address>”;
In the Year-Month-Day Time section, enter the format below (enter your desired release date):
In the time section:
And make sure you enter the correct IP in the IP address section.
Login LockDown Plugin vs. WordFence Security Plugin
WordFence Security is one of the best WordPress security plugins to create a WordPress login lockdown. Whether you want to use WordFence Security or Login LockDown is up to you. WordFence Security is a complete plugin to manage a website and Login LockDown is specifically designed to secure your website against brute force attacks.
You can use these two plugins at the same time. Using them both can increase your website’s security.
Other Ways to Keep Your Site Secure
Brute force attacks aren’t the only attacks you should worry about. To increase your WordPress website’s security, make sure you:
- Keep your WordPress updated.
- Change the default admin username.
- Avoid using weak passwords. Choose the perfect password for your website.
- Change database prefixes.
Please refer to our article about the best WordPress plugins for secure passwords to learn how to secure one or more posts, pages, or categories on your WordPress website
Moreover, we will discuss how to customize the login page of your WordPress site and what plugins your website requires