By default, WordPress places no limit on how many times someone can attempt to log in to your site. A visitor — or a bot — can try thousands of username and password combinations without being blocked. That is exactly what brute force attacks rely on: automated tools cycling through credentials until something works.
Most WordPress sites get targeted by these attacks regularly, even small ones with no obvious value to an attacker. The goal is often to gain access and use the server for spam, redirect traffic, or install malware. Limiting login attempts is one of the simplest and most effective things you can add to a new WordPress site.
This guide walks through how to set it up, what settings matter, and how it fits alongside the rest of your security setup.
Quick Answer
Install a plugin like Limit Login Attempts Reloaded, configure the lockout thresholds (typically 3–5 attempts before a temporary lockout), and enable email notifications. The plugin then blocks an IP address after too many failed attempts, making automated brute force attacks impractical.
Why This Matters
WordPress is the most widely used CMS on the web, which makes it the most targeted. Automated bots constantly probe WordPress login pages using lists of common usernames and passwords — admin, password123, and similar combinations appear in millions of attempted logins every day.
Without a login attempt limit, a determined bot can run tens of thousands of attempts against your site with no consequence until it guesses correctly. A lockout plugin removes that option. After a small number of failed attempts, the IP address is blocked for a set period, making the attack far too slow to succeed.
It also has a secondary benefit: it reduces unnecessary server load from repeated login requests hitting your database.
How to Install and Configure Login Attempt Limiting
The most widely used plugin for this is Limit Login Attempts Reloaded. It is free, actively maintained, and available directly from the WordPress plugin directory.
Step 1: Install the Plugin
Go to Plugins → Add New in your WordPress dashboard. Search for Limit Login Attempts Reloaded. Install and activate it.
Step 2: Open the Plugin Settings
After activation, go to Settings → Limit Login Attempts. The main configuration screen shows all the options you need. You do not need to connect a cloud account or configure anything advanced to get basic protection working.
Step 3: Configure Lockout Settings
The key settings are:
- Allowed retries: The number of failed attempts before a lockout. I usually set this to 3 or 4. Going lower can occasionally catch a legitimate user who mis-types their password, but 3 is the standard recommendation.
- Lockout period: How long the IP is blocked after hitting the retry limit. 20 minutes is the default and works well for most sites.
- Lockouts until long lockout: After a set number of short lockouts from the same IP, the lockout period increases significantly. The default is 4 lockouts triggering a 24-hour ban, which is appropriate.
- Long lockout period: How long that extended ban lasts. 24 hours is standard.
Leave the trusted IP origin setting on its default unless your site sits behind a proxy or load balancer. Changing it incorrectly can cause all users to share the same apparent IP, which would lock out legitimate visitors.
Step 4: Enable Email Notifications
Enable Notify on lockout and set it to email you after a certain number of lockouts — 3 or 5 is reasonable. This gives you visibility into whether your site is being actively targeted without flooding your inbox on every individual attempt.
Step 5: Save Settings
Click Save Settings. The plugin is now active and monitoring all login attempts including the standard WordPress login page, WooCommerce login forms, and the XML-RPC endpoint.
Practical Tips
A few things worth knowing once the plugin is running:
Whitelist your own IP address. If you work from a fixed IP, add it to the safelist under the IP Rules tab. This prevents you from accidentally locking yourself out during testing or after forgetting your password.
Check the lockout log occasionally. The plugin keeps a log of recent lockouts. If you see repeated attempts from the same IP ranges, it can give you a rough sense of where the attacks are originating. Most sites see attempts from cloud hosting ranges and known proxy services.
XML-RPC coverage matters. The default plugin configuration also limits attempts via XML-RPC, which is a secondary WordPress endpoint that bots frequently target. You do not need to do anything extra — just make sure the option is not disabled in settings.
This works alongside other measures. Limiting login attempts is effective but not a complete solution on its own. Pairing it with a strong admin username, a custom login URL, and two-factor authentication gives you layered protection. The WordPress security guide covers the full picture.
Common Mistakes
Setting retries too low. Setting the limit to 1 or 2 attempts creates a poor experience for real users who occasionally mis-type credentials. 3 to 4 attempts is the practical minimum before a lockout.
Not whitelisting your own IP. If you lock yourself out during a site migration or password reset, you will need to access the database directly to clear the lockout record. Whitelisting your IP in advance prevents this.
Assuming this replaces a security plugin. Login attempt limiting addresses one attack vector. It does not scan for malware, protect file permissions, or block other types of intrusion. Use it as part of a broader setup, not as a standalone solution.
Ignoring the trusted IP origin setting. On standard shared hosting, the default setting is correct. If you change it incorrectly and your server routes all traffic through a single proxy, the first few login failures from any user could lock everyone out.
When to Use This vs Alternatives
Limit Login Attempts Reloaded covers the core need for most WordPress sites. If you are running a high-traffic site or want centralised protection across multiple WordPress installations, a cloud-based firewall service like Cloudflare can handle brute force blocking at the network level before requests reach WordPress at all. That is a more advanced setup and is not necessary for most sites starting out.
Some all-in-one security plugins such as Wordfence also include login attempt limiting as part of a broader feature set. If you are already using one of those, check whether the setting is already active before installing a separate plugin.
Conclusion
Install the plugin, set retries to 3 or 4, enable email notifications, and whitelist your own IP. It takes five minutes and removes one of the most common attack vectors from your WordPress site immediately.
Etienne Basson works with website systems, SEO-driven site architecture, and technical implementation. He writes practical guides on building, structuring, and optimizing websites for long-term growth.