Why you should limit login attempts


Some idiot at hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.

I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:


I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.

PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)

if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
    mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );

62 thoughts on “Why you should limit login attempts

  1. I’d agree, Limit Login Attempts is on my “standard” list of plugins to install.

    If possible, I’ll further protect the login and admin areas with HTTP authentication to stop this kind of hammering attack before it even gets to WordPress.

  2. Some dude had a go at one of my sites the other day as well. I killed him with htaccess. This looks cool though, I will look at installing it.

  3. So doesn’t this mean that you’re emailing yourself your username and password every time you log in? That seems like a security risk that’s much more likely to be exploited than someone guessing your password at random.

  4. I just block everything from the Ukraine as well as a few other countries. It’s a drastic measure but none of my websites are aimed at those countries anyway.

    It’s been unbelievable how much it has reduced all the various crack attempts. Naturally such a measure won’t suit everyone though.

    1. You block entire countries from accessing your website because you have some problems with crackers and spammers?

      Nothing on my website is “aimed at those countries” either, but I would never dream of such drastic and completely unnecessary measures. You seriously need to re-evaluate your approach there Robert.

    1. Stupid question alert:

      How can I do this:

      IÒ€ℒve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.


  5. Another idea is to edit your wordpress database and change the admin username from “admin” to something else. I have done that for my school district’s web site as well as local school sites. So, even if someone happens to know the password, they’ll toss and turn to figure out the username. Then, limit login will hammer it down! πŸ™‚

  6. Thanks for the tip. I went and installed a similar plugin (Login Lockdown) after reading this. I’ve also done what Patrick suggested, and deleted the “admin” user after setting up another admin account with a different name.

  7. Thanks for the heads up and for sharing this useful information!

    Btw, I’ve been using a WP plugin called Login Lockdown that can limit a number of unsuccessful login attempts (brute force attacks), I guess it works just like or has the same concept as the Limit Login Attempts plugin that you’re using.

  8. Hi

    Could you go into some more detail regarding the logging of the failed login attempts. I would be interested in knowing if this is happening to me also.


    1. Will – just put that code into a file and make sure it’s included. WordPress has a “myhacks” function you could use. (Google it, I don’t have a url at hand)

  9. where does this plugin store the failed logins? mysql?

    i wrote something a while back that limits logins much like this but using eaccelerator.

  10. Wow, great plugin. fast instal and simple to use. I could write to my media blog of this plugin. Sorry, poor English. πŸ™‚

    1. Login Lockdown is in my list of standard plugins to use on every WP install. Very similar functionality to Limit Login Attempts from the looks of things.

  11. Yup, hardening WP/WPMU installs always include changing admin username to something else, plus adding the “login error cleanup” plugin and the “login lockdown” plugin and the htaccess thingy πŸ™‚

  12. Unfortunately I did not have all of the Ukraine firewalled like I mentioned in my earlier comment.

    I’ve just had the same IP address trying to bruteforce my blog 3006 times in the past two hours!

    He’s blocked this time around though.

  13. Just to be extra paranoid and annoy the bots, I added a http auth login around wp-login.php on my other VPS. This one uses fastcgi which doesn’t support it unfortunately. (Yes, I could do it in a few .htaccess rules but I don’t have the time to dig into that right now!)

  14. Never knew this was not in the core of WordPress. This is a basic feature of authentication system to block access after 3 wrong attempts.


  15. It is incredible: today, my blog Journal de Cuba (in french) had been victim of the same attack and by the same IP !!! This idiot from Namibia did 593 unsuccessful attemps to login. This morning I install the plugin, thank you Donncha for the tips.

  16. IP Tried to log in as admin (1 lockout)

    Same IP at my site. Good i’ve installed Limit Login Attempts when i’ve saw this post.

    Thank you Donncha

  17. Add this line to your theme’s functions.php file to hide login error messages:

    add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

    That way they can’t tell if they got the username or password (or both) wrong.

  18. I had the same issue from hitting me 3,500 times. CPanel also shows this, and allows you to block ips or ip ranges.

  19. Hi Donncha, I have been using this plugin since you recommended it, and worked fine. Recently, I have been hit by some hacker trying to login simultaneously from multiple IP addresses. This plugin is not so effective in this scenario as each day/time the same clown tries from different addresses, un-stoppable!
    Do you ( or anyone else) know of a solution to RESTRICT LOGIN to an IP or IP range, written into .htaccess or something?
    I also use your WP Super Cache and Domain Mapping, so it needs be compatible with these too.

  20. After further searching, I found a simple solution and would like to share:


    specifically the section titled
    “How To protect Your wp-admin File: Very Secure Method.”

    It seems to work fine. I can login to my sites from home IP, no worries, and logging in through an online proxy (other IP) results in a 404 not found. Lovely!

    What you reckon Donncha, is this method cool?

  21. Nope, it didn’t work. I am still getting hit from various IPs simultaneously. The .htaccess limits entry to directory wp-admin, but they still access wp-login.php. Is /wp-admin still secure from other IP access even though wp-login.php is being hit? or is there a way to limit access to wp-login.php to only my home IP?
    Am I safe???

    1. Just make sure you have a strong password and you’ll be fine. You can use similar .htaccess rules to block access to your wp-login.php too.

  22. Thanks Donncha. I did it, and get 404 page when accessing thru proxy – other IP, so it should work!
    For those wishing to do the same, here it is:
    (replace with your IP)

    Restrict access to wp-admin by IP:
    Make a .htaccess file in directory /wp-admin, and include:

    order deny,allow
    allow from
    deny from all

    Restrict access to wp-login.php by IP:
    Add this to .htaccess file in root directory /public_html:

    Order deny,allow
    Deny from All
    Allow from

    1. I made mistake, and can’t edit comment.

      Restrict access to wp-login.php by IP:
      Add this to .htaccess file in root directory /public_html:

      Order deny,allow
      Deny from All
      Allow from

  23. sorry mate, delete the last few comments, everytime I put the code and submit comment, the code changes. email me and I can send the proper code for you to post. funny thing the comment box changes the code completely!

Leave a Reply

%d bloggers like this:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.