Ultimate Security Guide Part 3/9: Limit Login Attempts

Welcome to our 9-part series of the Ultimate Guide to Protecting Your WordPress Website.

This is Part 3: Limit Login Attempts

You won’t have to be too technical to do these yourselves and I’ll be here showing you on the screen, step by step how to do it.

Here are a few things you’ll need to prepare before starting:

  • WordPress Administrative Area Login URL which is typically in most cases /wp-admin after your domain name
  • Your WordPress administrative username
  • Your Password

Today I’m going to show you how to secure your WordPress website by limiting the login attempts on your site.

In the case of a hacker or a bot attempting a brute-force attack to crack your password, this can be extremely useful to limit the number of failed login attempts from a single IP address.

Let’s get started.

  1. First, let’s log into your WordPress administrative area.
  2. Click on Plugins > Add New
  3. Search for Limit Attempts
  4. Limit Attempts by BestWebSoft – Install.
  5. Keep in mind, this is the free version which does an amazing job already. If you are having problems with multiple brute force attacks, you may want to consider getting a true firewall for from your web host instead.
  6. Now on the left, we go to BWS > Limit Attempts and configure the plugin.
  7. By default these are the settings which are pretty good already, if you need to modify to fit your needs, please do so by clicking the edit button.
  8. Under Blacklist, you can manually blacklist any IP address. This stops that person from accessing the login completely.
  9. Under Whitelist, you may want to add your IP in case you forgot your password and tried a little too many times.
  10. Under statistics, you can review to see which IPs are trying to access your site. This is helpful to see if you are being attacked or not.

Of course, if you really like this plugin, you may consider going Pro. It comes with a lot more features to help protect your site, for example you can block an entire country.

There are still ways hackers can get around this, as some sophisticated attackers will use a large number of different IP addresses…but it’s still worth doing as an additional precaution.

Remember, securing your WordPress site is not about preventing an attacker from hacking your site, instead making it is about making it as hard as possible so that they either quit or provide you enough warning and time to take appropriate measures.

Thanks for watching this video.

Bookmark this page, subscribe or save it somewhere so you can check back when we publish Part 4/9 next week!

Looking for previous episodes of the Ultimate Guide to Securing Your WordPress site?

If you got any questions or comments, please comment below.