Do You Really Need to Limit Login Attempts in your WordPress?
If you are wondering whether you need to limit login attempts to your WordPress site, the answer is most definitely yes. But what if your site does not get that much traffic. That’s what I thought at first too. I figure since my site is not a high profile site, I did not need such a plugin. But I was wrong. When I enabled the limit login feature of WordPress iThemes Security plugin, I started getting lockout notifications saying that someone of a particular IP had made multiple unsuccessful login attempts. And it was not me.
That goes to show that there are hackers out there that are making brute force login attempts at WordPress sites using automated software. That is also why it is important to not have an username as “admin”. Surely that is one of the username that they will definitely try . Similarly do not have a password of “1234”.
So how do you limit login attempts? The plugin that I like to use is the iThemes Security Plugin which has various security feature one of which is to limit login attempts. It also has the ability to rename your “admin” user to something else, as well as change that user’s id to not be 1. See why this is important and how to do it in our other tutorial. iThemes Security also has the ability to enforce strong passwords. Or you might want to install the Force Strong Password plugin to make sure that your users are using strong passwords.
How to Limit Login Attempts in WordPress
To enable Limit Login Attemps in iThemes Security Plugin, go to “WordPress dashboard -> Security -> Settings” and scroll down to the section “Brute Force Protection” and checkmark “Enable local brute force protection.” Usually, the default settings like these are fine …