Limit Login Attempts & Secure Your WordPress Site

If a stranger kept knocking on your front door, time and time again, you’d probably bolt it. Or add three additional locks.

Your online home, too, deserves and needs the same protection.

Limit Login Attempts Reloaded is a popular security plugin that lets you restrict access to your login page. If someone knocks on your virtual door more than a few times, they’re kicked out. It’s a great security tool, used on over two million WordPress sites.

If you’re considering using Limit Login Attempts Reloaded or a similar plugin for your website, this guide is a must-read.

In the next few minutes, we’re going to look at why you might need this plugin, how to set it up, and what other options you have for protecting your website.

Jump on board, it’s time for a whistle-stop tour!

What Is Limit Login Attempts Reloaded?

Limit Login Attempts Reloaded is the most popular WordPress plugin for capping the amount of times anyone can attempt to log in to your website. How does it work? By tracking the number of login attempts made from each IP address.

The basic plugin is free, offering solid protection against brute force attacks — that’s when hackers try to guess your password.

The free version also offers:

• Full logs of attempted logins.
• Email notifications.
• Protection for WooCommerce stores.
• Compatibility with other security plugins, such as Wordfence.

For additional website security features, you can pay for a premium license. This is either $7.99/month for each domain or you can get a lifetime license for $299.99.

Those extra features include:

• Smart IP address filtering.
• Blocking IP addresses based on location.

Why You Should Limit WordPress Login Attempts

The Internet can feel like the Wild West. If you don’t secure your site, there’s always someone ready to break in and wreak havoc.

By setting a limit on the number of failed login attempts, you can prevent people from trying to log in repeatedly. You’re much less likely to get hacked this way.

Just as importantly, those endless login attempts can overload your WordPress website and reduce performance. Restricting login attempts is a simple solution.

The Potential Downsides Of Limiting Login Attempts

It’s worth noting that limiting login attempts can cause a few headaches. For example, genuine users might find themselves locked out if they make a few typos or forget their password. This can be pretty frustrating on both ends.

Another potential issue is that limiting logins can make you more vulnerable to a Denial of Service (DoS) attack. A malicious hacker could deliberately overload your login limit from multiple IP addresses, and effectively lock out all users, including you. Scary stuff, no?

In rare cases, login limiting can cause performance issues. This usually happens when your lockout settings are too aggressive or you have a high-traffic site, so your web server has to work hard to track and block thousands of IP addresses.

How To Protect Your Site With Limit Login Attempts Reloaded

That’s the theory all wrapped up. Now, it’s time to take some action.

Setting up the Limit Login Attempts Reloaded plugin is pretty easy. That’s partly why it’s so popular.

But just in case you find yourself a little stuck, here’s a speedy walkthrough of the process:

Step 1: Install Limit Login Attempts Reloaded

Head over to the dashboard of your WordPress site, and then select Plugins > Add New Plugin.

Next, type “Limit Login Attempts Reloaded” into the search bar in the top-right and hit Enter. The plugin you want should appear as the first result.

Once you’ve located the plugin, choose Install Now.

When the plugin has been installed, hit Activate. Stay with us — you’re one step away from protecting your site!

Step 2: Choose Your Login Limits And Settings

If you check the left sidebar, you’ll notice that a Limit Login Attempts option has appeared.

Click on that, and then select Settings from the drop-down menu.

Let’s work our way through the General Settings first:

• GDPR compliance: This option adds a small message on your login screen, informing users that you’re tracking IP addresses (a requirement under GDPR law). You can adjust the message in the box below.
• Notify on lockout: With this feature, you will receive an email alert whenever someone is locked out of your site. You can choose the number of times this has to happen before you receive an email. Make sure to test that this is working.
• Display/Hide options: The next four checkboxes are just about how the plugin will appear in your WordPress Admin area.

Scroll down a little further, and you will come to the App Settings area:

• Micro Cloud: In return for sharing bad IP addresses with the plugin’s developers, you can get limited access to Limit Login Attempts Reloaded’s premium features.
• Local App: The settings here control how the plugin blocks logins. You can probably leave this section alone unless you have specific ideas about timing and attempts.

You can unlock even more settings with a Premium subscription. The plugin has a solid knowledge base to help you navigate these options.

Step 3: Monitor Login Attempts

With your protection set, you can visit Limit Login Attempts > Logs via the sidebar at any time to monitor the lockouts.

Or click on the Logs tab if you’re already in the plugin setting.

You can also manually restrict a specific IP address and add it to the safelist using this area.

Alternatives To The Limit Login Attempts Plugin

While Limit Login Attempts Reloaded is a great solution, it’s not the only way to protect your site from brute force attacks.

Here are some alternative options to consider:

1. Wordfence Security Plugin

Actively used by over five million sites, Wordfence Security is probably the best free all-in-one security plugin for WordPress. It provides much more than login protection, although this makes it a little resource-heavy.

Pros:

• Comprehensive security features, including brute force protection.
• Offers real-time global IP protection and IP intelligence.

Cons:

• May overlap with other security plugins.
• Can be overwhelming for beginners because of its feature-rich nature.

2. Loginizer Plugin

This freemium plugin is a like-for-like replacement for Limit Login Attempts Reloaded. It offers many of the same features and has great ratings, however it is a little resource-intensive.

Pros:

• Specialized in limiting suspicious login attempts.
• Offers IP blocking and password policies.

Cons:

• May slow down the admin panel.

3. Editing Your .htaccess File

You won’t find a login limit option in the WordPress Admin area. The good news is that, if you’re familiar with code, you can take some control by editing your site’s .htaccess file.

For example, you can drop in the following code to limit login access to specific IP addresses. Simply replace the XXX.XXX.XXX.XXX part with the IP addresses you want to allow:

RewriteEngine on 
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
RewriteCond %{REMOTE_ADDR} !^XXX.XXX.XXX.XXX$ 
RewriteCond %{REMOTE_ADDR} !^XXX.XXX.XXX.XXX$ 
RewriteCond %{REMOTE_ADDR} !^XXX.XXX.XXX.XXX$ 
RewriteRule ^(.*)$ - [R=403,L]

Be really careful with this technique, though. You could easily lock yourself out of your own site!

Additionally, you should keep in mind that .htaccess is not supported for some plans that use NGINX. If this is the case for you, we recommend you contact the support team.

Login Limiting FAQs

We didn’t cover everything you wanted to know? Not so fast, there’s more right here!

What are some other ways to secure a login page?

We would recommend taking the following steps for strong login security:

What does “Maximum Login Retries” mean?

This is the maximum number of failed login attempts in WordPress allowed for each user (IP address) before they’re blocked from trying again.

How do I remove limit login attempts?

If you’re talking about the plugin, you can simply deactivate and uninstall it.

In terms of unblocking your account, check out this post by the plugin developer.

Upgrade Your Site Security

Clamping down on failed login attempts is an important step toward securing your WordPress website. The Limit Login Attempts Reloaded plugin is probably the most efficient solution overall, but the other options are worth considering.

Of course, website security is partly dependent on your hosting provider. At DreamHost, we provide all the tools you need to fortify your site — from free SSL certificates to our built-in malware remover tool. The best part is that plans start at just $2.59/month!

Sign up today to give your WordPress site an instant security upgrade!

WordPress Hosting

Unbeatable WordPress Hosting

Reliable, lightning-fast hosting solutions specifically optimized for WordPress.

See More