As nice it is to proudly pronounce WordPress authorship of your site, you may not…
Blocking users that enter in a wrong username and password several times in a row can be a key step towards blocking brute force security attacks, and protecting your WordPress site. Limit Login Attempts helps you do that, by automatically bouncing users that attempt this.
What’s It Do?
Limit Login Attempts allows you to block users that enter in the wrong username and password several times in a row. You can customize how many times a wrong combination is entered before a user is bounced, and how long they will be unable to login for after they are. By default, a user has 4 attempts before they can no longer attempt again for 20 minutes. If a user has 4 bad lock outs in a row, then they are bounced for 24 hours.
Limit Login Attempts works by tracking IP addresses. You can see the IPs of those that have been locked out, and track activity. This also ensures that users can’t attempt to “game the system” by switching to new browsers or something like that.
How’s It Work?
Once you install and activate the plugin, it will begin working with it’s default settings. To customize the plugin, go to Settings -> Limit Login Attempts.
In the “Options” section, you can choose the exact amount of attempts a user has before they are locked out. The default is 4, but change the number to anything you want in the provided textbox. Any number between 4 and 10 should do just fine. The next option tracks the time of the lockout in minutes, defaulting at 20 minutes, and then how many lockouts in a row before users are bounced for an even longer period of time. Lastly, you can type in how many hours should pass before the retires are completely reset.
The next two options are for slightly advanced users, and should only be changed if you are having a problem with the plugin. It simply describes how exactly the IP address of users logging in are tracked. The next section has some notification options. You can choose to “Log IP” or send an “Email to admin” after a certain amount of attempts, if you would like to be kept in the loop.
Below this is the “Lockout Log” which has a running log of failed attempts to log in, what username was used, and IP addresses of the users that have tried.
If, at any time, you want to reset everyone’s log in attempts back to zero, simply click the “Reset Counter” button at the top of Settings window and the plugin will be reset. If you want to stop the functionality of the plugin altogether, you simply have to deactivate it.
Costs, Caveats, Etc.
Limit Login Attempts hasn’t been updated in a while, but it’s functionality is very basic and it still works perfectly. There is a fairly active community around the plugin on the support forums if you are having a problem.