Where do you log in to your backend? Exactly – via the login page of your website. This is in its default settings even for the “hobby” hacker quickly found, as well as the default ID of your administrator. If you’re not so sure about password security now, a hacker can use information gathered about you or scripts to find out the password. He just tries it in your login area until he finds out.

The success of this method depends, of course, on whether you allow an infinite number of attempts or whether you make life difficult for the person in front of your digital door. For example, by limiting login attempts and not allowing more than three attempts for an IP address. For the implementation of the subproject “WordPress Security” you don’t have to have any deep programming skills, WordPress makes it as easy as possible for its customers and has WordPress plugins up its sleeve to help you limit the login attempts.

Limit login attempts: Plugins

In the Plugin Directory on wordpress.com you will find numerous security plugins that you can use to limit login attempts. When making your selection, make sure that it comes from a trustworthy source. Filtering reliable and secure plugins is not always easy, but there are some tips on how to recognize a good plugin. If in doubt, ask a professional. If you want to use more than one security plugin for your website, you should check the compatibility of the WordPress plugins. In the worst case the execution of similar plugins can lead to error messages and failures, which in turn lead to security gaps. This is exactly what you want to avoid.

A rising WordPress Security Plugins is Loginizer, which counts meanwhile more than 100,000 active installations. One of its features is the possibility to limit login attempts. It also offers “PasswordLess Login” by creating temporary login areas and sending them to registered email accounts. In addition, you can set up authentication by sending another code by e-mail. Or you can use a Challenge Question, without whose correct answer the login will be refused. This feature is particularly likely to put obstacles in the way of bots.


WordPress Security Login Limit attempts Plugin Loginizer


One of the biggest players among the security plugins for WordPress is iThemes Security, formerly Better WP Security. iThemes Security convinces with over 700,000 active installations and years of WordPress experience. Its popularity is also reflected in the ratings, as over three thousand users have awarded the Security Plugin 5 stars. In addition to the features already listed for Loginizer, it also has the option of setting a time limit for passwords and a built-in password generator.

Limiting login attempts is only the beginning

If you build a firewall against unwanted visitors, limiting login attempts can be just one brick of many. Because against bots, limiting login attempts can’t be enough, these automated programs are usually equipped with tens of thousands of IP addresses. If your security plugin blocks access to one of these IP addresses, the bot will use the next one – he has enough in his luggage.

The limitation of the login attempts is only a pebble in the path of a bot, because with 10,000 IP addresses with three login attempts each program can query 30,000 passwords. Access protection is therefore a recommended measure.