WordPress Plugin & Theme Reviews
Limit Login Attempts Review: Stop Brute Force Attacks to your Blog

Limit Login Attempts Review: Stop Brute Force Attacks to your Blog

WordPress plugin by:
Johanee
Price:
Free

Reviewed by:
Rating:
5
On October 31, 2012
Last modified:April 29, 2013

Summary:

Know WordPress allows an unlimited number of failed attempts to log into your blog? Limit Login Attempts WP plugin will stop brute force attacks. It's free and an essential plugin in WordPress installations.

Why do you need the Limit Login Attempts plugin?

WordPress is a secure platform, but the case that follows, is my pet peeve though. I don’t understand why the WordPress community doesn’t fix in new updates, the possibility to avoid brute force attacks in your login page.

Brute force attacks are robots trying to guess your “admin” user name plus your password, everyday and I can say every hour or less, if you’ve tons of traffic.

Do you know that WordPress allows an unlimited number of failed attempts to log into your blog? Yes, those bad guys are working 24/7, attempting to login to your site.

All the WordPress default installations put, by default “admin”, and this is weak, very weak.

 

Login Admin No

 

Are you still using “admin” as your default user name? If the answer is yes, please do a favor, NOW: change your admin for something stronger and complicated (you can do it as a new user on the dashboard or via the database) When you finish, return to this article!

I’ll show you later and visually, what happens if you’re still using admin and why it’s a crazy thing!

By the way, I assume you’ve a strong password, right? If not, and as before, change it immediately for some combo of letters, numbers and special characters.

Normally, for instance, in email clients if you put few wrong combinations of username + password appears, first a CAPTCHA and if you still insist you’ll be blocked, but not in WordPress by default.

Well, to have a better layer of protection, and to be almost impossible for anyone to login to your WP site, is where Limit Login Attempts plugin comes to the game.

Limit Login Attempts is a free plugin, which limits the number of login attempts through normal login as well as using auth cookies.

It’ll limit the number of retry attempts when logging in (for each IP), and block it after certain specified limit on retries reached.
Also if you want, it can inform you by email, when a specific cracker surpassed the maximum allow of retries or the lockout time on login page.

 

Limit Login Attempts WordPress Plugin Settings

By default, it comes with:

 

Limit Login Attempts Settings

 

My recommendation depends on how many administrators have your blog.

  • If you’re the unique administrator of your site set it to the less possible attempts, because all the rest are more chances for the crackers.
  • If your site is a multi-author blog, the situation is different, and you need to consider the rest of your users on how they remember their usernames and passwords. Having this point clear, set up how many attempts you’ll allow on settings, according to your specific case.

You can set e.g. 3 attempts and after those fails, block that particular IP for 1 hour.
There is an extra component on settings, which allows you to an extra block for 24 or XX hours (the quantity you want).

If you’re the only authorized to enter and you see someone trying to enter to your site, why to not kicking it for a week  ;-)

Perhaps those bots could “forget” your site and never return, because those nasty scanners aren’t stupid and might go to weaker sites, without any additional defenses.

Nevertheless, my own experience indicates even with all these measures, sometimes you’ll be alerted that the same IP is coming - again – to crack and later hack your site.

Definitely, block permanently this IP with your host or by another method, and say “hasta la vista” baby! You can’t access to my site anymore!

 

Admin and lockouts with Limit Login Attempts plugin

 

In the event that you’ve fear of blocking yourself, you can enter via your host and delete the plugin or change its folder, then you’ll have access again to your site.

I’d like the Limit Login Attempts plugin doesn’t show how many attempts are left, in that way, nobody knows if you’re using this plugin or another, but this is not the case.
However, this is a minimal drawback and your WP security will be better after installing it.

I can assure you that you’ll be shocked observing how many failed attempts, and lockouts can have your site with those brute force attacks.

Have you already installed Limit Login Attempts plugin?
How is it your experience with those attacks?

 

 

Subscribed to Newsletter?

* indicates required


Know WordPress allows an unlimited number of failed attempts to log into your blog? Limit Login Attempts WP plugin will stop brute force attacks. It's free and an essential plugin in WordPress installations.
Click to download the Genesis Guide for Absolute Beginners

6 Responses to Limit Login Attempts Review: Stop Brute Force Attacks to your Blog

  1. Hi Gera, It’s been a while since I commented on your excellent and informative posts. I have started working on moving my blog to WordPress and this particular post is very helpful. I remember when you made your move to WordPress and it was a long and stressful process for you. I’m hoping all your posts and information will help me along.

    Thanks for all the time you put into sharing your informative posts.

    Hope you’ve been well,
    Joanne
    Joanne/Winelady Cooks recently posted..Stone Crabs With Dipping SauceMy Profile

    • Hi Joanne,

      Thanks a bunch for your visit and comment!

      Hope the best of the luck in the migration to WP and that everything goes normal.
      When you install WP, change the “admin” for some username more complicated, the same with your password.
      Remember after your WP is finally set up, to install vital security & spam plugins:

      GASP avoid automatic spam
      Limit Login Attempts
      Block Bad Queries BBQ, avoid bad requests install it and done, nothing to touch.
      MaxBlogPress Ping Optimizer, avoid to ping every time you edit a post
      AntiVirus
      Wordpress Firewall 2 or OSE Firewall

      If you need assistance in the process or with some plugin/theme, just let me know.

      Have a great week :)

      Gera
      Gera recently posted..WordPress Firewall 2 Plugin Review: A Must-Have for your WP BlogMy Profile

Leave a reply

CommentLuv badge

 

 

Comments Without a Real Name will be Deleted. Do not use just keywords in "Name" field.
Read previous post:
Maxblogpress Ninja Affiliate
Ninja Affiliate Plugin Review

Converting keywords into outgoing links in older posts, even in new posts, can be a nightmare if you need to...

Close