Limit Login Attempts Review: Stop Brute Force Attacks to your Blog

Update: this plugin hasn’t been updated in several years, therefore I recommend using more advanced & updated free plugins like:



Why do you need the Limit Login Attempts plugin?

WordPress is a secure platform, but the case that follows, is my pet peeve though. I don’t understand why the WordPress community doesn’t fix in new updates, the possibility to avoid brute force attacks in your login page.

Brute force attacks are robots trying to guess your “admin” user name plus your password, everyday and I can say every hour or less, if you’ve tons of traffic.

Do you know that WordPress allows an unlimited number of failed attempts to log into your blog? Yes, those bad guys are working 24/7, attempting to login to your site.

All the WordPress default installations put, by default “admin”, and this is weak, very weak.


Login Admin No


Are you still using “admin” as your default user name? If the answer is yes, please do a favor, NOW: change your admin for something stronger and complicated (you can do it as a new user on the dashboard or via the database) When you finish, return to this article!

I’ll show you later and visually, what happens if you’re still using admin and why it’s a crazy thing!

By the way, I assume you’ve a strong password, right? If not, and as before, change it immediately for some combo of letters, numbers and special characters.

Normally, for instance, in email clients if you put few wrong combinations of username + password appears, first a CAPTCHA and if you still insist you’ll be blocked, but not in WordPress by default.

Well, to have a better layer of protection, and to be almost impossible for anyone to login to your WP site, is where Limit Login Attempts plugin comes to the game.

Limit Login Attempts is a free plugin, which limits the number of login attempts through normal login as well as using auth cookies.

It’ll limit the number of retry attempts when logging in (for each IP), and block it after certain specified limit on retries reached.
Also if you want, it can inform you by email, when a specific cracker surpassed the maximum allow of retries or the lockout time on login page.


Limit Login Attempts WordPress Plugin Settings

By default, it comes with:


Limit Login Attempts Settings


My recommendation depends on how many administrators have your blog.

  • If you’re the unique administrator of your site set it to the less possible attempts, because all the rest are more chances for the crackers.
  • If your site is a multi-author blog, the situation is different, and you need to consider the rest of your users on how they remember their usernames and passwords. Having this point clear, set up how many attempts you’ll allow on settings, according to your specific case.

You can set e.g. 3 attempts and after those fails, block that particular IP for 1 hour.
There is an extra component on settings, which allows you to an extra block for 24 or XX hours (the quantity you want).

If you’re the only authorized to enter and you see someone trying to enter to your site, why to not kicking it for a week 😉

Perhaps those bots could “forget” your site and never return, because those nasty scanners aren’t stupid and might go to weaker sites, without any additional defenses.

Nevertheless, my own experience indicates even with all these measures, sometimes you’ll be alerted that the same IP is coming again – to crack and later hack your site.

Definitely, block permanently this IP with your host or by another method, and say “hasta la vista” baby! You can’t access to my site anymore!


Admin and lockouts with Limit Login Attempts plugin


In the event that you’ve fear of blocking yourself, you can enter via your host and delete the plugin or change its folder, then you’ll have access again to your site.

I’d like the Limit Login Attempts plugin doesn’t show how many attempts are left, in that way, nobody knows if you’re using this plugin or another, but this is not the case.
However, this is a minimal drawback and your WP security will be better after installing it.

I can assure you that you’ll be shocked observing how many failed attempts, and lockouts can have your site with those brute force attacks.

Have you already installed Limit Login Attempts plugin?
How is it your experience with those attacks?

About the Author Gera

As a WordPress fan, Gera provides detailed reviews, tutorials & guides about plugins, themes & hostings. He enjoys experimenting with them and the results are published on this blog.

follow me on:
Aleka Stone says

This was a good article on wordpress attacks. I’m going to show my friends.Thanks for this post. I have a hard time finding good content related to this subject when searching most of the time.

    Gera says

    Aleka you’re welcome.

      Lexie Lane says

      This is a great review Gera! Great way to let the readers
      actually understand what they need to know about the plugin. I would absolutely be livid is someone got into my account! Hackers ARE everywhere! Great heads up post!

        Gera says

        My pleasure Lexie! Yes this plugin can be vital nowadays with all those attacks to WordPress sites.

        Thanks for your feedback!

Joanne/Winelady Cooks says

Hi Gera, It’s been a while since I commented on your excellent and informative posts. I have started working on moving my blog to WordPress and this particular post is very helpful. I remember when you made your move to WordPress and it was a long and stressful process for you. I’m hoping all your posts and information will help me along.

Thanks for all the time you put into sharing your informative posts.

Hope you’ve been well,

    Gera says

    Hi Joanne,

    Thanks a bunch for your visit and comment!

    Hope the best of the luck in the migration to WP and that everything goes normal.
    When you install WP, change the “admin” for some username more complicated, the same with your password.
    Remember after your WP is finally set up, to install vital security & spam plugins:

    GASP avoid automatic spam
    Limit Login Attempts
    Block Bad Queries BBQ, avoid bad requests install it and done, nothing to touch.
    MaxBlogPress Ping Optimizer, avoid to ping every time you edit a post
    Wordpress Firewall 2 or OSE Firewall

    If you need assistance in the process or with some plugin/theme, just let me know.

    Have a great week 🙂


JustDave says

One thing I would add is ‘SQL’ don’t leave tables default with wp_ – change it to a mix of letters and numbers. examples T49q – Xc48.

You will need to protect your .htaccess and wp-config. Addthis to your .htaccess

# Protect .htaccess

Order Allow,Deny
Deny from all

# Protect wp-config

Order Allow,Deny
Deny from all

#End Protect file

Go in to your control panel, file manager and chmod these two files to 444, removing owner write.

    Gera says

    Thanks David for your tips and they are true, helping to secure more the WP site.

JustDave says

oops comments has added paragraphs to the .htaccess script, close the gaps up 🙂

Comments are closed