WordPress Limit Login Attempts

How to limit login attempts in WordPress

WordPress Limit Login Attempts is a security measure to protect your WordPress from 3rd party unwanted or you can say from hackers. Your website works as a business for you, but what if someone hacks your website? Are you ready to bear this loss? It is needed to secure the WordPress website, moreover, several attacks can impact website speed and performance to a great extent. Hackers are genius. They perform all the necessary activities to break the code. In this situation, relevant security measures should be taken.

Hackers try different ways to harm the security of the organization. They find several ways to break the security by using a password combination several times to get into the system. For keeping them unaware of your password, you should be aware of how to set WordPress limit login attempts. There are different kinds of the plugin available in WordPress, or you can install them on your website. In this tutorial, we discuss how to set WordPress Limit Login Attempts on your own.

Let’s Understand WordPress Limit Login Attempts Security Concept

“The limit login attempts means no one can try more than number defined login attempts. This procedure can control unwanted attacks. It doesn’t allow intruders/hackers to login into your WordPress website.

Why Should We Apply WordPress Limit Login Attempts Security

What is the benefit of creating a website if it is not secure? What hackers do actually, they try to enter random passwords several times, thinking the fact that they can break them by guessing it. Suppose if the person is the legitimate user., he/she knows what the password is, but if any unknown person tries to enter the wrong password, so many times. It threatens the website. So this security measure helps in limiting the total number of login try, let’s say 5 logins after that user will lockout temporarily. It can also block the IP address of the unknown user temporarily as well.

How to Set WordPress Limit Login Attempts

  1. Manually from Function.php File
  2. By using Plugins

How to set Limit login attempts Manually from PHP File

Here what you need? Simply you need the knowledge of PHP. Is it true? Yes, if you do not want to use the plugin you can simply use the code in the file name “function.php”. Most of the people don’t want to make use of plugins so, what they simply do is, they can write the following code.

// To check your user id or password is correct or not.
// If you try to more than three times then login is faild.
// This code help you to login your WordPress login.
function check_attempted_login( $user, $username, $password ) {
    if ( get_transient( 'attempted_login' ) ) {
        $datas = get_transient( 'attempted_login' );
        if ( $datas['tried'] >= 3 ) {
            $until = get_option( '_transient_timeout_' . 'attempted_login' );
            $time = time_to_go( $until );
            return new WP_Error( 'too_many_tried',  sprintf( __( '<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.' ) , $time ) );
    return $user;
add_filter( 'authenticate', 'check_attempted_login', 30, 3 ); 
function login_failed( $username ) {
    if ( get_transient( 'attempted_login' ) ) {
        $datas = get_transient( 'attempted_login' );
        if ( $datas['tried'] <= 3 )
            set_transient( 'attempted_login', $datas , 300 );
    } else {
        $datas = array(
            'tried'     => 1
        set_transient( 'attempted_login', $datas , 300 );
add_action( 'wp_login_failed', 'login_failed', 10, 1 ); 
function time_to_go($timestamp)
// this code check you database and convert mysql timestamp to php time 
    $periods = array("second","minute","hour","day","week","month","year");
    $lengths = array( "60", "60", "24", "7", "4.35", "12" );
    $current_timestamp = time();
    $difference = abs($current_timestamp - $timestamp);
    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) - 1; $i ++) {
        $difference /= $lengths[$i];
    $difference = round($difference);
    if (isset($difference)) {
        if ($difference != 1)
            $periods[$i] .= "s";
            $output = "$difference $periods[$i]";
            return $output;

But still, we recommend you to set a strong password with the combination of alphabet numbers and special characters. Strong passwords are challenging to break. You should use the WordPress Default Automatic password generator for generating a password. Because it generates a strong password for you.

To generate secure passwrod do follow the following options.

I. First Go to WordPress admin login area and type your username and password to login to your WordPress admin account.
II. Now Click on Users > select Username
III. Move to your profile
IV. Then down below you will see “account management
V. Here you can see New password option with generating Password Tab

Generate password option wordpress profile

VI. Now Click on Generate Password Option you will see something like below image and Down below Click on Update profile to save your password.

Auto generated WordPress password

Pro Tip:- You can write this password somewhere as it is quite complicated. It is difficult for you to remember this password.

Limit Login Attempts Using Plugins

You can set the limit login attempts security by using a WordPress plugin.

To setup WordPress limit login attempts we are going to use Login lockdown plugin by Michael VanDeMar.

Follow these simple steps for using the Login Lockdown plugin.

Firstly install and activate the Login Lockdown WordPress plugin. (Check our youtube video on how to install and activate WordPress Plugin below)

how to install and activate WordPress Plugin

Now configure the Plugin settings according to your need.

Option 1: Define maximum login retries, it can be anything like 3 or 5 depending on your need.

Option 2: Then the option of retry time is shown here you add retry minutes

Option 3: Lockout Length in minutes

Login LockDown Options
Plguin Lockdown Login screenshot

Final Thoughts

It is very necessary, for you to perform relevant security measures on your WordPress website. Every single user should be aware of WordPress security features. one of the common security features is to set up two factor authentication in WordPress to prevent unwanted login

Similarly, make use of a firewall if in case your website is business of yours. It does not only help to protect from unwanted forceful attacks but also provides an enhanced level of security.

In this tutorial, we have discussed WordPress login limit attempts, Why we should apply on our WordPress website, and also explained different ways of WordPress limit login attempts security option. If you are having any kind of doubt, ask freely in the comment section or leave us a message on from contact us page.

Leave a Reply

Your email address will not be published. Required fields are marked *