Why do you need the Limit Login Attempts plugin?
WordPress is a secure platform, but the case that follows, is my pet peeve though. I don’t understand why the WordPress community doesn’t fix in new updates, the possibility to avoid brute force attacks in your login page.
Brute force attacks are robots trying to guess your “admin” user name plus your password, everyday and I can say every hour or less, if you’ve tons of traffic.
Do you know that WordPress allows an unlimited number of failed attempts to log into your blog? Yes, those bad guys are working 24/7, attempting to login to your site.
All the WordPress default installations put, by default “admin”, and this is weak, very weak.
Are you still using “admin” as your default user name? If the answer is yes, please do a favor, NOW: change your admin for something stronger and complicated (you can do it as a new user on the dashboard or via the database) When you finish, return to this article!
I’ll show you later and visually, what happens if you’re still using admin and why it’s a crazy thing!
By the way, I assume you’ve a strong password, right? If not, and as before, change it immediately for some combo of letters, numbers and special characters.
Normally, for instance, in email clients if you put few wrong combinations of username + password appears, first a CAPTCHA and if you still insist you’ll be blocked, but not in WordPress by default.
Well, to have a better layer of protection, and to be almost impossible for anyone to login to your WP site, is where Limit Login Attempts plugin comes to the game.
Limit Login Attempts is a free plugin, which limits the number of login attempts through normal login as well as using auth cookies.
It’ll limit the number of retry attempts when logging in (for each IP), and block it after certain specified limit on retries reached.
Also if you want, it can inform you by email, when a specific cracker surpassed the maximum allow of retries or the lockout time on login page.
Limit Login Attempts WordPress Plugin Settings
By default, it comes with:
My recommendation depends on how many administrators have your blog.
- If you’re the unique administrator of your site set it to the less possible attempts, because all the rest are more chances for the crackers.
- If your site is a multi-author blog, the situation is different, and you need to consider the rest of your users on how they remember their usernames and passwords. Having this point clear, set up how many attempts you’ll allow on settings, according to your specific case.
You can set e.g. 3 attempts and after those fails, block that particular IP for 1 hour.
There is an extra component on settings, which allows you to an extra block for 24 or XX hours (the quantity you want).
If you’re the only authorized to enter and you see someone trying to enter to your site, why to not kicking it for a week
Perhaps those bots could “forget” your site and never return, because those nasty scanners aren’t stupid and might go to weaker sites, without any additional defenses.
Nevertheless, my own experience indicates even with all these measures, sometimes you’ll be alerted that the same IP is coming - again – to crack and later hack your site.
Definitely, block permanently this IP with your host or by another method, and say “hasta la vista” baby! You can’t access to my site anymore!
In the event that you’ve fear of blocking yourself, you can enter via your host and delete the plugin or change its folder, then you’ll have access again to your site.
I’d like the Limit Login Attempts plugin doesn’t show how many attempts are left, in that way, nobody knows if you’re using this plugin or another, but this is not the case.
However, this is a minimal drawback and your WP security will be better after installing it.
I can assure you that you’ll be shocked observing how many failed attempts, and lockouts can have your site with those brute force attacks.
Have you already installed Limit Login Attempts plugin?
How is it your experience with those attacks?