7 Best Practices to Limit Failed Login Attempts in WordPress

Failed login attempts on WordPress sites shouldn’t be overlooked. In some cases, it’s the beginning of serial brutal site attacks. Lots of WordPress has been ended up shut down due to this reason.

If you spot multiple failed login attempts on your WordPress site, you should determine the root causes and come up with solutions on the spot. Will it be just from normal password typos or spambots? Can failed login entries affect your site badly in some ways?

This article aims to answer those questions and provides you with simple and actional ways to tackle failed login entries.

What Causes Failed Login Attempts in WordPress?

As the term indicates, failed login attempts happen when someone tries to log in to your WordPress site using the wrong credentials. It can be either right usernames, wrong passwords or wrong both usernames and passwords.

There are a few reasons that prompt failed login attempts. The first common case refers to when you password-protect the entire WordPress site and require your visitors to log in and view the private content. At that point, any password typos can lead to failed login.

Apart from that, failed login attempts in WordPress are also caused by malicious attacks. This happens when hackers consistently use brute force attack techniques to gain access to your backend.

Can It Hurt Your Site?

If the reason comes from password typos, it’s just a piece of cake to resolve. You can easily add a password-revealed button to your login form. Having that said, it also affects user experience more or less.

Occasional failed login attempts can’t bother site security. However, when it comes to too many failed login entries in the same timeframe, you should be on the alert for a site hack. There is a high chance that automated bots are trying to break into your site.

Targeted brute force attacks can take up a massive amount of your bandwidth, which slows down your site performance. Besides, once hackers get access to your admin dashboard, they can steal your data or redirect your site to illegal and offensive content resources. As a result, your site will soon lose its reputation and even get a penalty from Google.

No matter what the reason is, you must properly handle failed login entries on your WordPress site. Better safe than sorry, who knows?

7 Ways to Handle Failed Login Attempts

As a matter of fact, WordPress doesn’t provide any built-in functionality to sweep away or limit failed login attempts. But the good news is you don’t have to be tech-savvy to deal with this problem.

#1. Include Password Reveal Buttons

Silly password typos not only mess things up with failed logins but also piss your users off. Our PPWP plugin helps you say goodbye to password typos by adding a password reveal button under the password field. Plus, you can also insert a custom error message notifying your visitors about their wrong passwords.

The following guide will show you how to customize your password forms per your tastes with PPWP and WordPress Customizer.

  1. In your WordPress dashboard, go to Plugins > Add New. Look for PPWP in the plugin search box. Install and activate the plugin.
  2. Go to Appearance > Customize > PPWP Sitewide Login Form.
    PPWP sitewide login form
  3. Navigate to Password Reveal Button. Switch on the “Enable Password Reveal Button” option. You can also fill in your own custom button text and decide the button color.
    PPWP password reveal button

This is how the login form looks after enabling the password reveal button with PPWP plugin.
ppwp show password

For custom error messages, head to the Error Message section and enter your unique message, then hit Save.

ppwp enter error message

#2. Create Quick Access Links

On the same note, making use of Quick Access Links (QALs) will also give a helping hand in preventing failed login entries to private content. True to its name, the idea of QALs is to provide an instant link letting people access your private site without the need for passwords or login. This technique helps maintain site security also.

PPWP Pro will automatically generate unlimited QALs for your users. As a site owner, you can set up the access links to expire after certain days or clicks.  In addition, you can track link usage to make sure it’s not overused.

To create QALs, you need the Password Suite extension on top of PPWP Pro.

  1. Install and activate PPWP Pro and Password Suite
  2. In your WordPress dashboard, navigate to Password Protect WordPress >  Sitewide Protection. Click on the “Upgrade Now” button.
    upgrade PPWP Pro sitewide protection
  3. In the Sitewide tab, turn on the Password Protect Entire Site option. If you want to exclude any pages, enable the “Exclude these pages and posts from site-wide protection” and choose the pages from the dropdown menu.
  4. Copy the quick access link and send it to your users.

PPWP Pro quick access links
Now, you don’t need to worry about failed login attempts to your private WordPress site.

#3. Use Secured Login Credentials

We’ve emphasized enough the importance of strong and robust passwords and unique usernames. This is the simplest but most effective practice to protect your site from brute force attacks and data breaches.

Your password must contain at least 8 characters, mixed with lower case, upper case letters, numbers, and special characters. The more complex your password is, the harder it is for hackers to guess and hack into your WordPress sites.

#4. Keep Your Site Updated

WordPress constantly releases updates to not only introduce new advanced features but also include security patches to fix flaws of the old versions. As such, updating your WordPress site to the latest version is always highly recommended.

Surprisingly, just only more than half of the users are using the latest version of WordPress, while 7.4% and 4.2% of them use WordPress version 5.7 and 5.6 respectively.
wordpress version in use statistics

In case you’re running the old version of WordPress, you should hide your WordPress version number from the public to avoid security risks. Hackers can find your WordPress version, look for vulnerability holes, and breach your site.

#5. Restrict Login Attempts

While WordPress gives the green light to unlimited login entries by default, you can change that to prevent too many failed login attempts. And the Limit Login Attempts Reloaded plugin will help you with that.

limit failed login attempts reloaded

This plugin is such a wizard in limiting the number of login attempts related to brute force attacks. This proves handy in optimizing your site performance as well.

The key features of Limit Login Attempts Reloaded include

  • Restricting the number of retry attempts when logging in per each IP address.
  • Providing modifiable lockout timings.
  • Showing users the remaining retries or lockout time on the login page.
  • Notifying blocked attempts via emails.
  • Offering a Safelist/Blocklist of IPs and Usernames.
  • Protecting WooCommerce login page.

If you’re using WPEngine as your hosting provider, you don’t need to install this plugin. This is because WPEngine did bring security in-house by replacing Limit Login Attempts with their proprietary security system 7 years ago.

#6. Pay Attention to Web Host Security

A reliable web host plays a vital role in tightening server security. However, most WordPress site owners seem to underestimate the significance of secure web hosting.

Many of them tend to be tempted into shared hosting plans since they are more affordable. Still, not only don’t they give any helping hands in stopping failed login attempts but they also turn your site into lucrative prey for hackers. If attackers successfully hack any site on that shared server, the next target may be yours, since they can gain access via the hacked site.

A high-quality web hosting may cost you some bucks, but you certainly get what you pay for.

#7. Make Use of 2FA and Security Plugins

2 Factor Authentication (2FA) comes as a great solution to block cyber security threats in general and failed login attempts in particular. By asking users to prove their authentication via one more step of email or login OTP confirmation, you can get your site away from spambots or shady visitors.

To enable 2FA on your WordPress site, you can install WP 2FA. This free and easy-to-use plugin gets over 20,000 active installations. It boasts many types of 2FAs that suit your wants and needs, including TOTP, HOTP, out-of-band emails, etc.

Alternatively, you can opt for security plugins that provide all-in-one solutions like WordFence, Jetpack, or iThemes Security. They offer 2FA, malware scanner, backup, and many more useful features to help you report failed login attempts and secure your site from any attacks.

Don’t Let Failed Login Entries Hurt Your Site!

There are many reasons causing failed login attempts in WordPress. It can be password typos when users log in to your backend or your password-protected site to view your private content. At that point, using PPWP Pro and Password Suite to enable a password reveal button and generate quick access links can easily resolve the problem.

If there are too many failed login entries happen consistently at the same time, there is a high chance that hackers set up automatic bots to brute force attack your site. You need to keep your WordPress site updated, use reliable web hosting, and restrict login attempts using recommended plugins.

Plus, installing security plugins will significantly help you guard off malicious attacks.

Stop failed login attempts to your private WordPress site with PPWP Pro and Password Suite now!