How to limit login attempts in WordPress
Jul 15, 2025 am 12:28 AMTo limit the number of WordPress login attempts, use the plug-in or manually add the code. 1. Use plug-ins such as Limit Login Attempts Reloaded or WP Limit Login Attempts to set the maximum number of failures (such as 5 times) and lock time (such as 30 minutes), and support IP whitelisting; 2. Manually add code to the theme functions.php file to achieve similar functions, but pay attention to backup and compatibility; 3. Further enhance security by combining server-layer protection such as .htaccess, CDN rate limiting or fail2ban. These methods are simple to operate and can effectively prevent brute-force attacks.
Limiting the number of WordPress login attempts is a simple but effective security measure that can prevent brute-force attacks. By default, WordPress does not limit the number of login failures, which gives attackers unlimited trial and error opportunities. We can limit the number of attempts to log in by plug-ins or manually adding code.
Use plugins to restrict login attempts
For most users, using plugins is the most convenient way. There are many mature WordPress plugins that can implement this feature, and there are often other security options available.
- Recommended plug-ins : Limit Login Attempts Reloaded, WP Limit Login Attempts.
- These plugins can set the maximum number of login failures, such as locking the account for a period of time after 5 failures (such as 30 minutes).
- Support whitelisted IP addresses to avoid accidentally locking the administrator himself.
- After installation, you only need to enable and enter the settings page to adjust the parameters, without coding capabilities.
The advantage of this type of plug-in is that it is frequently maintained and updated, has good compatibility, and is suitable for most websites.
Manually modify code to implement restrictions
If you don't want to use the plugin, you can also implement login attempt restrictions by adding code snippets to the theme's functions.php
file.
Here is a simple example code:
function limit_login_attempts() { $limit = 5; $lockout_time = 30 * 60; // Lock time (seconds) if (!session_id()) session_start(); if (isset($_SESSION['login_attempts'])) { if ($_SESSION['login_attempts'] >= $limit) { $time_diff = time() - $_SESSION['login_attempt_time']; if ($time_diff < $lockout_time) { wp_die('Try too many times, please try again later.'); } else { $_SESSION['login_attempts'] = 0; } } } else { $_SESSION['login_attempts'] = 0; $_SESSION['login_attempt_time'] = time(); } $_SESSION['login_attempts'] ; } add_action('wp_login_failed', 'limit_login_attempts');
Notice:
- It is recommended to back up the current theme file before adding to prevent errors.
- This method requires you to have a certain understanding of PHP and WordPress hooks.
- If the theme is changed, this code will fail and needs to be added again.
Combined with server layer protection, more secure
In addition to restricting login attempts at the WordPress level, you can also add protection from the server level, such as:
- Limit the access frequency of
/wp-login.php
in.htaccess
; - Use the rate limiting features provided by Cloudflare or other CDNs;
- Use firewall tools such as fail2ban to monitor and block exception IP.
These methods can be used as a supplementary means to improve overall security.
Basically these are the methods. Whether using plug-ins or code, setting the appropriate number of attempts and locking time can effectively improve WordPress's security, and it is not complicated to operate.
The above is the detailed content of How to limit login attempts in WordPress. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undress AI Tool
Undress images for free

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

When managing WordPress projects with Git, you should only include themes, custom plugins, and configuration files in version control; set up .gitignore files to ignore upload directories, caches, and sensitive configurations; use webhooks or CI tools to achieve automatic deployment and pay attention to database processing; use two-branch policies (main/develop) for collaborative development. Doing so can avoid conflicts, ensure security, and improve collaboration and deployment efficiency.

The key to creating a Gutenberg block is to understand its basic structure and correctly connect front and back end resources. 1. Prepare the development environment: install local WordPress, Node.js and @wordpress/scripts; 2. Use PHP to register blocks and define the editing and display logic of blocks with JavaScript; 3. Build JS files through npm to make changes take effect; 4. Check whether the path and icons are correct when encountering problems or use real-time listening to build to avoid repeated manual compilation. Following these steps, a simple Gutenberg block can be implemented step by step.

Use WordPress testing environments to ensure the security and compatibility of new features, plug-ins or themes before they are officially launched, and avoid affecting real websites. The steps to build a test environment include: downloading and installing local server software (such as LocalWP, XAMPP), creating a site, setting up a database and administrator account, installing themes and plug-ins for testing; the method of copying a formal website to a test environment is to export the site through the plug-in, import the test environment and replace the domain name; when using it, you should pay attention to not using real user data, regularly cleaning useless data, backing up the test status, resetting the environment in time, and unifying the team configuration to reduce differences.

In WordPress, when adding a custom article type or modifying the fixed link structure, you need to manually refresh the rewrite rules. At this time, you can call the flush_rewrite_rules() function through the code to implement it. 1. This function can be added to the theme or plug-in activation hook to automatically refresh; 2. Execute only once when necessary, such as adding CPT, taxonomy or modifying the link structure; 3. Avoid frequent calls to avoid affecting performance; 4. In a multi-site environment, refresh each site separately as appropriate; 5. Some hosting environments may restrict the storage of rules. In addition, clicking Save to access the "Settings>Pinned Links" page can also trigger refresh, suitable for non-automated scenarios.

TosetupredirectsinWordPressusingthe.htaccessfile,locatethefileinyoursite’srootdirectoryandaddredirectrulesabovethe#BEGINWordPresssection.Forbasic301redirects,usetheformatRedirect301/old-pagehttps://example.com/new-page.Forpattern-basedredirects,enabl

UsingSMTPforWordPressemailsimprovesdeliverabilityandreliabilitycomparedtothedefaultPHPmail()function.1.SMTPauthenticateswithyouremailserver,reducingspamplacement.2.SomehostsdisablePHPmail(),makingSMTPnecessary.3.SetupiseasywithpluginslikeWPMailSMTPby

To implement responsive WordPress theme design, first, use HTML5 and mobile-first Meta tags, add viewport settings in header.php to ensure that the mobile terminal is displayed correctly, and organize the layout with HTML5 structure tags; second, use CSS media query to achieve style adaptation under different screen widths, write styles according to the mobile-first principle, and commonly used breakpoints include 480px, 768px and 1024px; third, elastically process pictures and layouts, set max-width:100% for the picture and use Flexbox or Grid layout instead of fixed width; finally, fully test through browser developer tools and real devices, optimize loading performance, and ensure response

Tointegratethird-partyAPIsintoWordPress,followthesesteps:1.SelectasuitableAPIandobtaincredentialslikeAPIkeysorOAuthtokensbyregisteringandkeepingthemsecure.2.Choosebetweenpluginsforsimplicityorcustomcodeusingfunctionslikewp_remote_get()forflexibility.
