If you want to limit login attempts in WordPress, one of the easiest ways is to block repeated failed logins before they turn into a brute force problem. WordPress does not limit login tries by default, which means bots can keep guessing usernames and passwords unless you add protection.
That matters because repeated login attempts can slow down a site, increase server load, and raise the risk of unauthorized access if weak credentials are used. A simple login protection setup can stop that by locking out IP addresses after a few failed attempts.
This guide shows how to limit login attempts in WordPress with a free plugin and, if needed, with custom code. It also covers a few extra steps that can strengthen wp-login security and reduce brute force attacks.
How to Limit Login Attempts with a Plugin
A login protection plugin tracks failed login attempts for each IP address and sometimes for specific usernames. Once a limit is reached, it temporarily blocks more attempts for a set period of time. This type of WordPress security helps protect the wp-login page from brute force attacks. It does not replace a firewall, backups, or malware scanning, but it covers an important gap because WordPress core does not include login rate limiting by default.
There are several plugins that can limit login attempts in WordPress, and they all work on the same core idea. The steps below describe how to use the Limit Login Attempts Reloaded plugin.
Step 1: Install the Limit Login Attempts Reloaded Plugin
From the WordPress dashboard, go to Plugins > Add New. Search for Limit Login Attempts Reloaded, then click Install Now and Activate. The free version is enough for a standard WordPress login protection setup.
After activation, a new Limit Login Attempts item appears in the left admin menu. From there, you can view the settings, logs, trusted IP options, and other controls related to failed login tracking and lockouts.
Step 2: Configure Plugin Settings
After activating the plugin, open Limit Login Attempts from the left admin menu and go to the Settings tab. This is where you define the login protection rules, including failed attempts, lockout time, and notifications.
The Local App section controls the core login attempt rules. The allowed retries field sets how many incorrect passwords can be entered before an IP address is blocked. A limit of 3 to 5 failed attempts is usually a good balance between stopping bots quickly and avoiding unnecessary lockouts for real users. The lockout minutes setting controls how long that IP stays blocked after hitting the limit.
For repeat abusers, the plugin lets the site owner escalate things using Lockouts increase lockout time. Setting the first to 4 and the second to 24 hours, for example, tells the plugin that after four lockouts, the next ban should last much longer, which makes it a waste of time for bots to keep trying.
The hours until retries are reset value decides when the lockout will be lifted.
The Trusted IP Origins setting controls how the plugin reads visitor IP addresses, especially on sites using proxies or a CDN. Most small sites can leave this unchanged, but if the site runs behind Cloudflare or another reverse proxy, it may need adjustment so the plugin detects the real client IP correctly.
The GDPR Compliance option adds a small notice to the login page so users know failed attempts may be logged. You can also enable Notify on lockout to receive an email when an IP is blocked after too many failed logins. That makes it easier to spot repeated login attacks early.
After you adjust the settings as you want, clicking the Save Settings button.
Step 3: Test the Login Limit on the Site
After saving settings, a quick test helps confirm that the WordPress security login rules work. One simple way is to log out, visit the login page, and deliberately enter the wrong password several times. The login screen should start showing how many tries remain, and eventually it should show a lockout message when the limit is hit.
At the same time, the plugin dashboard or logs should show one or more failed attempts and at least one active lockout.
How to Limit Login Attempts in WordPress Without a Plugin
You can also limit login attempts in WordPress with custom PHP code instead of using a plugin. This method uses WordPress transients to track failed logins by IP address and block repeated attempts after a defined threshold. If you use this approach, it is safer to place the code in a child theme or a code snippets plugin so the changes are not lost during theme updates. Always back up the site first.
Add this code snippet to a child theme’s functions.php file, or use a code snippets plugin if you prefer not to edit theme files directly:
function limit_login_attempts() {
$max_attempts = 3; // Change to your preferred limit
$lockout_time = 20 * MINUTE_IN_SECONDS; // 20 minutes lockout
$ip = $_SERVER['REMOTE_ADDR'];
$key = 'login_attempts_' . $ip;
$attempts = get_transient($key);
if ($attempts === false) {
$attempts = 0;
}
if ($attempts >= $max_attempts) {
wp_die('Too many login attempts. Try again later.');
}
}
add_action('init', 'limit_login_attempts');
add_action('wp_login_failed', function($username) {
$ip = $_SERVER['REMOTE_ADDR'];
$key = 'login_attempts_' . $ip;
$attempts = get_transient($key);
if ($attempts === false) {
$attempts = 0;
}
$attempts++;
set_transient($key, $attempts, 20 * MINUTE_IN_SECONDS);
});Log out, try wrong passwords 4 times – should block with “Too many login attempts.” Wait 20 minutes or delete the transient via WP-CLI ( wp transient delete login_attempts_YOURIP ) to reset.
Adjust $max_attempts or $lockout_time for stricter rules, like 5 tries and 1 hour. Try it first on a staging environment in order to avoid breaking the live site.
This method can reduce brute force attempts without adding another plugin, but a dedicated plugin is still easier to manage because it usually includes logs, whitelists, notifications, and a settings screen.
Extra Tips to Improve WordPress Login Security
Limiting login attempts is a good first step, but better login protection comes from combining it with a few basic security habits.
Start with strong passwords. Use long, unique passphrases for every admin account, and store them in a password manager instead of reusing weak logins. It is also a good idea to avoid the default admin username and remove old administrator accounts that no longer need access.
From there, add two-factor authentication through plugins like Wordfence or Google Authenticator, so even if a password leaks, the thief still needs a phone code to get in.
Keep WordPress core, themes, and plugins updated weekly because old versions often have public login flaws that scripts exploit right away.
Finally, automate daily backups, ensuring a full site restore if something slips through despite the login limits and other defenses.
Final Thoughts on How to Limit Login Attempts in WordPress
Limiting login attempts in WordPress is one of the simplest ways to reduce brute force attacks on the login page. A plugin like Limit Login Attempts Reloaded adds a practical layer of protection by blocking repeated failed logins before they become a bigger problem.
When that is combined with strong passwords, two-factor authentication, updates, and backups, the login area becomes much harder to abuse. The result is a WordPress site that is easier to manage and better protected against automated login attacks.
FAQs About Limiting Login Attempts in WordPress
Does WordPress limit login attempts by default?
No. WordPress allows unlimited login attempts by default, which is why many site owners use a plugin or custom code to block repeated failed logins.
What is the best plugin to limit login attempts in WordPress?
One popular choice is Limit Login Attempts Reloaded because it is easy to set up and lets you control retries, lockouts, notifications, and logs from the dashboard.
How many login attempts should be allowed?
For most sites, allowing 3 to 5 failed login attempts before a temporary lockout is a reasonable starting point.
Can I limit login attempts in WordPress without a plugin?
Yes. It is possible to do this with custom PHP code, but a plugin is usually safer and easier for most users because it includes settings, logs, and better management tools.
