Looking for ways to limit login attempts in WordPress? Limiting login attempts helps you block hacking bots and secure your websites.
There has been a drastic increase in hacking attempts over the past few years. Thousands of websites are infected with some kind of malware each day. 75% of them are WordPress websites, which is a serious fact to consider.
The latest research reveals that 80% of businesses suffered some sort of cyberattack over the past 12 months. Ransomware is the newest trend in the category, and security experts predict that its damage costs will exceed $11 trillion this year.
Hackers always attempt to crack your WordPress system. They will make repeated login attempts until they crack your website. Limiting login attempts is the best solution to stop brute-force attacks on WordPress.
What is a Brute-Force Attack?
Nowadays, WordPress is used by millions of people from all over the world. It is used to manage business accounts and personal accounts.
The popularity of WordPress has made it one of the most targeted sites for hackers. A brute force attack is a cyberattack in which a hacker or specially designed bots try to log into your site by testing many username-password combinations. They can combine letters and numbers, uppercase and lowercase letters, the username’s first letters and the website name’s last letters.
In a distributed brute force attack, the attack program can run on many machines, and each machine can try a subset of passwords.
If succeed, your website’s back-end access will fall into the hands of criminals. To get it back, you will have to pay them a huge amount, depending on the value of your business.
| Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. |
Best Plugins to Limit Login Attempts on WordPress
Today, I will list the 7 best plugins to limit login attempts on WordPress. Most are free and allow you to block brute-force attacks in simple steps.
1. Solid Security Pro
Solid Security is the #1 WordPress security plugin. It covers many features like real-time security monitoring, vulnerability scans, two-factor authentication, bad bots detection, and more.
After activation, Open the Security tab from the left pane of your dashboard. Visit the Local BruteForce Protection module and configure the settings to limit login attempts in your WordPress blog.
It lets you lock out or permanently ban a user after they reach the threshold limits. Device-based login is another unique feature of Solid Security Pro. All you have to do is add the devices you use to your Trusted Devices list. When you log in later, the plugin will automatically verify your identity, facilitate login, and block login from other devices.
You can also secure login pages with two-factor authentication codes from the mobile app, email, or backup.
2. Malcare
Malcare is the most comprehensive security suite for WordPress. It scans your website at regular intervals to detect and remove malware before your business gets infected.
Security threats need to be removed as soon as possible, as Google may blacklist your site if any infection is detected. Thanks to Malcare’s advanced threat detection technology and 1-click malware removal option. It reduces your hours of hard work and eliminates the risk of loss.
Malcare blocks brute-force attacks with real-time firewall and Captcha protection. It will also block the user after making a certain number of failed login attempts. Uptime monitoring, vulnerability alerts, and daily backups are other features that make Malcare an essential tool for business websites.
3. Wordfence Security
Wordfence is a popular free WordPress security plugin with over 4 million downloads. It has several options to protect your website from being hacked or infected. The features include login security, spam filter, live traffic view, firewall, domain blacklist, malware scan, and so on.
After activation, visit the Wordfence menu from the left pane > Options and scroll down to locate login security options.
You will see several options to enable login protection on your website. Set the maximum number of login attempts and forgot password attempts, lockout period, etc.
Enable remaining checkboxes to enhance the security level of your logins. Ask the plugin to immediately lock out the invalid usernames and prevent hackers from detecting actual usernames on your site through scans or API modules.
Wordfence also allows you to specify usernames for which IP addresses will be blocked immediately. It is open-source software that provides detailed statistics and notifications on various security events on your website.
4. All In One WP Security & Firewall
All-in-One WP Security & Firewall is another free security plugin for WordPress. It combines several security features to protect your blog website from being hacked.
After activation, go to WP Security > User Login to enable the login lockdown feature.
Enable the feature and enter a value for max login attempts. If anyone exceeds the limit with failed login attempts, the same IP address will be locked out from further retries.
Set your lockout time length so the blocked IP address will be prevented from logging in. The plugin allows you to block invalid and specific usernames instantly.
Login Lockdown IP Whitelist is another main section where you can enter your IP address, which will never be blocked by the login lockdown feature.
There are four more related tabs on the User Login page. Failed Login Records, Force Logout, Account Activity Logs, and logged-in users.
Failed Login Records show the IP address, Username, and time of each failed attempt.
Admins can force log out all users after a certain amount of time. They should log in again to continue using the dashboard or service. Sometimes, we forget to log out from the site after writing or managing content, which may result in serious security breaches. Enable the feature and set a time limit to avoid such a situation.
Account Activity logs let you monitor the activities of logged-in users. If you run a multi-author website, know who’s online from the Logged-In Users tab.
5. Limit Login Attempts Reloaded
Limit Login Attempts Reloaded is a good option to strengthen your WordPress login security.
Downloaded more than 2 million times, it lets you limit login attempts per IP and automatically blocks the user for exceeding the limit. Lockout time can be set according to your preference, and users can be notified through the login page if required.
This plugin keeps a history of blocked login attempts on the dashboard and notifies you via email. Adding IP addresses to a safe or block list is also possible. Limit Login Attempts Reloaded is compatible with Woocommerce, multi-site, and other leading security plugins.
6. Loginizer
Loginizer is a simple plugin that fights against brute-force hacking in WordPress. It comes with features of limiting login attempts, blacklist IP, whitelisting IP, etc.
After activation, a new top-level menu will be added to your dashboard: Loginizer Security. Open the settings and set your limits for maximum login retries, lockout period, and others. It will inform you about the failed login attempts through the plugin tab and by email.
7. Login LockDown
Login Lockdown is a free WordPress security plugin to limit login attempts and prevent brute-force attacks on WordPress. It will record all failed login attempts on your site, and when the number exceeds the limit, the system’s login function will be disabled.
After activation, open the plugin menu from Settings > Login Lockdown.
Set your Maximum login retries, retry period, and lockout length. Admin is a common username for WordPress websites. Hackers can easily guess such names. Replace the default ‘Admin’ username with your own for better security. The login Lockdown plugin also allows you to instantly block the invalid usernames from logging in.
Visit the Activity log on the top to view locked-out IP addresses.
Read The 9 Best WordPress Backup Plugins Compared in 2025
Great article Manoj! I also would recommend to take a look at WPScans.com, a free online tool to find WordPress vulnerabilities.
Hi Jonas,
What a coincidence! I recently go through your website & impressed with its service. One of my upcoming posts is on malware scan and will feature your amazing tool there.
Cheers!
Have you a wonderful week ahead.
This is really useful descriptive article. As am also using the word press this is really helpful.I will implement them in my blog as well. Thank you for sharing
I am trouble because the limit login attempts plugins are reading all of the ip addresses the same, and it is the one of my server, not the ip addresses of the user or the attackers. any advice?