As a site owner, spotting bots hammering the wp-login page raises the big question: how to limit login attempts in WordPress before one guess cracks the admin login. If you check site logs, they may be full of failed tries on “admin” and “password123,” and freak out – is WordPress security login too weak? What if hackers wipe posts, grab user data, or install malware next?
WordPress leaves login tries unlimited by default, turning sites into brute force playgrounds for scripts hitting thousands daily. Bots guess common usernames and weak passwords first. Endless requests spike server load and slow the site. A single breach brings spam links, data theft, or downtime. A solid limit login setup changes everything fast by cutting off after just 3-5 wrong tries, blocking bad IPs for a set time, while most real users only need one or two attempts anyway.
This article shows simple steps to limit login attempts in WordPress with free plugins that block bad IPs after a few fails. In case you want to limit site logins without a plugin, there’s a simple code you can use. Let’s get started!
How to Limit Login Attempts with a Plugin
A login limit plugin tracks failed attempts for each IP and sometimes for specific usernames. Once a threshold is reached, it blocks further attempts for a set time, often minutes at first and longer for repeat offenders. This type of WordPress security login protection is focused on the front door the wp-login.php and related forms. It does not replace firewalls, backups, or malware scanning, but it fills a key gap that exists because WordPress core does not ship with any login rate limiting.
There are several plugins that can limit login attempts in WordPress, and they all work on the same core idea. The steps below describe how to use the Limit Login Attempts Reloaded plugin.
Step 1: Install the Limit Login Attempts Reloaded Plugin
From the WordPress dashboard, click Plugins > Add New. Type “Limit Login Attempts Reloaded” into the search bar – it pops up first with over 2 million active installs and top ratings for brute force protection. Hit Install Now, then Activate – no premium needed since the core limit login features work free out of the box.
Right away, a new “Limit Login Attempts” menu shows up in the left sidebar, landing on a dashboard with real-time stats like failed logins in the last 24 hours. Tabs up top link to Settings, Logs, and lists for safelisting trusted IPs or denylisting bad ones.
Step 2: Configure Plugin Settings
After activating the plugin, click the “Limit Login Attempts” item in the left sidebar and open the Settings tab at the top, because that’s where all the WordPress security login behavior gets defined.
The Local App section defines the actual limit login rules that decide when an IP gets blocked.
The allowed retries field is where you choose how many wrong passwords a user can enter before the plugin steps in; picking 3–5 strikes a balance between catching bots quickly and not punishing people who just mistype once or twice. The minutes lockout setting defines how long that IP stays blocked after crossing the limit, so starting with something like 20 minutes gives attackers a real delay without locking out a genuine user for an entire day.
For repeat abusers, the plugin lets the site owner escalate things using Lockouts increase lockout time. Setting the first to 4 and the second to 24 hours, for example, tells the plugin that after four lockouts, the next ban should last much longer, which makes it a waste of time for bots to keep trying.
The hours until retries are reset value decides when the lockout will be lifted.
There is also a Trusted IP Origins or similar field that deals with how the plugin reads IP addresses, especially when a site sits behind proxies or a CDN.
Most smaller sites can leave this alone, but owners with office IPs or more complex setups can adjust it with their host’s help so the plugin always sees the real client IP instead of a proxy address.
Below that is GDPR Compliance option. It adds a small notice on the login page so users know that failed attempts are being logged, which is helpful from both a privacy and trust standpoint.
Turning on Notify on lockout and setting a threshold like 3 means the owner gets an email every time an IP fails too many times, so they can see when someone is hammering the login form instead of finding out after the fact.
After you adjust the settings as you want, clicking the Save Settings button.
Step 3: Test the login limit on the site
After saving settings, a quick test helps confirm that the WordPress security login rules work. One simple way is to log out, visit the login page, and deliberately enter the wrong password several times. The login screen should start showing how many tries remain, and eventually it should show a lockout message when the limit is hit.
At the same time, the plugin dashboard or logs should show one or more failed attempts and at least one active lockout.
How to Limit Login Attempts in WordPress Without a Plugin
You can limit login attempts in WordPress by adding custom PHP code to the theme’s functions.php file, skipping plugins entirely. This approach uses WordPress transients to track failed logins per IP, blocking repeats after a set number like 3-5 tries. It works on any host but it’s recommended to use a child theme to avoid losing changes on updates – always do a site back up first.
Add this code snippet to the end of functions.php via Appearance > Theme Editor or FTP:
function limit_login_attempts() {
$max_attempts = 3; // Change to your preferred limit
$lockout_time = 20 * MINUTE_IN_SECONDS; // 20 minutes lockout
$ip = $_SERVER['REMOTE_ADDR'];
$key = 'login_attempts_' . $ip;
$attempts = get_transient($key);
if ($attempts === false) {
$attempts = 0;
}
if ($attempts >= $max_attempts) {
wp_die('Too many login attempts. Try again later.');
}
}
add_action('init', 'limit_login_attempts');
add_action('wp_login_failed', function($username) {
$ip = $_SERVER['REMOTE_ADDR'];
$key = 'login_attempts_' . $ip;
$attempts = get_transient($key);
if ($attempts === false) {
$attempts = 0;
}
$attempts++;
set_transient($key, $attempts, 20 * MINUTE_IN_SECONDS);
});Log out, try wrong passwords 4 times – should block with “Too many login attempts.” Wait 20 minutes or delete the transient via WP-CLI ( wp transient delete login_attempts_YOURIP ) to reset.
Adjust $max_attempts or $lockout_time for stricter rules, like 5 tries and 1 hour. Try it first on a staging environment in order to avoid breaking the live site.
This keeps WordPress security login solid without extra bloat, but plugins offer logs and whitelists for easier management.
Extra Tips to Boost WordPress Security Login
Limiting login attempts in WordPress is one step, but layering on a few everyday habits turns the whole setup into a fortress that brute force attackers just bounce off.
Start with passwords – swap out weak ones for long passphrases unique to each admin account, and stash them in a manager like LastPass instead of sticky notes or browser saves that hackers love to grab.
Next, ditch the default “admin” username entirely since bots guess it first, and delete any old unused admin users that sit there as easy targets during attacks.
From there, add two-factor authentication through plugins like Wordfence or Google Authenticator, so even if a password leaks, the thief still needs a phone code to get in.
Keep WordPress core, themes, and plugins updated weekly because old versions often have public login flaws that scripts exploit right away.
Finally, automate daily backups, ensuring a full site restore if something slips through despite the login limits and other defenses.
Final Thoughts on How to Limit Login Attempts in WordPress
Putting limits on login attempts in WordPress is an easy step that gives a big boost to how well a site can stand up to automated attacks. Adding a focused tool like Limit Login Attempts Reloaded quietly adds a protective layer at the login screen, cutting off bots while keeping the experience smooth for real visitors.
When this sits alongside solid habits like strong passwords, updates, and basic backups, it turns brute force attempts into more hassle than they’re worth. The result is a WordPress security login setup that feels low-maintenance for the owner but much harder to crack for anyone trying to force their way in.
