How to limit login attempts to prevent login attacks in WordPress

Blog, Features, Shield Pro

Security of any WordPress site involves a huge array of factors. But one of the most critical of these is protection of user accounts and particularly those of administrators.

Adding multiple layers of protection for your user accounts is crucial to account integrity. It helps ensure that anyone or anything who shouldn’t be inside your site, never gets in.

In this article we will show you how easy it is to protect your WordPress login in 3 different ways, from those that would try to brute force their way through.

What is “limit login attempts”?

Limit login attempts is where you put a maximum on the possible number of attempts that a bot, or other bad actor, is able to make to log into your site.

The more times a bot can attempt a login, the greater chance they have to correctly guess a password.

With enough tries, a bad actor could eventually guess a password correctly and gain access, especially if password policies aren’t enforced.

Here are the easy ways to limit login attempts on WordPress

The Shield Security Pro plugin comes with numerous ways to limit login attempts, and they fall under the following 3 approaches:

  1. limit the total possible login attempts that a site will process.
  2. detect automated bots and reject their login requests.
  3. detect multiple failed login attempts from 1 location (IP) and block further access.

Each of these approaches have advantages and disadvantages, but combined, they present the most powerful set of tools available to limit login attempts to your site.

We’ll take each in detail, show you how it works, and how to enable it.

#1 Limit Maximum Login Attempts On A Site

If you can place a hard, upper limit on the total maximum number of attempts to guess a password, then you dash all hopes of ever guessing any passwords.

Imagine your website can process 20 login requests per second. That equates to ~52 million requests in a month – that’s a lot.

What if you could set it so that WordPress wont even try to authenticate a login, if one was already tried in, for example, the last 10 seconds?

We call this a ‘cooldown’ system, where absolutely no logins will be processed during the 10s cooldown period.

So instead of 200 tries in 10 seconds, you permit only one. That changes the maximum possible requests to: ~260K in a month. Still large, but significantly less than before: 0.5% when compared to without a cooldown.

And you can increase the size of the cooldown to more than 10 seconds, and this limits the maximum possible tries even further.

The stunning beauty of this approach is that there’s no special code, or bot prevention javascript needed. It’s all transparent to your users.

How To Set A Login Cooldown Using Shield Security Pro
Enabling the login cooldown option, Shield Security Pro
Enabling the login cooldown option to limit login attempts in WordPress
What the visitor sees during a cooldown

#2 Detect Bot Requests and Reject Them Immediately

With a cooldown in-place, you’re already protecting against bot requests, but we can go even further.

Using the characteristics of bots, we can add a few elements to the login form that helps us identify bot requests as they come through.

This will nearly always cause a little bit of friction for the legitimate visitor, but our goal is to strike a balance between increasing security and detracting from the user experience.

Thankfully Shield has 3 ways to achieve this smoothly:

  1. login honeypot – where we add a hidden field, unseen by the normal visitor which, if filled-in by the bot, simply means they’re a bot
  2. the “I’m a human” checkbox
  3. Google reCAPTCHA

Option 1 is completely transparent to your users, so it has no cost in user experience. It is, however, common practice and most bots can work around it. But we keep it in there to be complete as there’s zero impact to the user experience.

Option 2 is has been part of Shield since the beginning, and is tried and true. It’s a hugely effective way of detecting bots and only asks legitimate visitors to check a single checkbox.

Option 3, Google reCAPTCHA, is also highly effective, and while it can add a tax to the user experience, most visitors are familiar with it and so it doesn’t often cause much frustration.

How To Turn On “I’m a human” checkbox in the login form using Shield
How to turn on the bot protection checkbox for WordPress Login

How To Turn On Google reCAPTCHA in the login form using Shield

There are 2 steps to enabling Google reCAPTCHA in the login form. First you’ll need to register for Google reCAPTCHA keys for your site, and supply these to Shield. After that, you turn on reCAPTCHA for the login form.

Google reCAPTCHA Keys settings inside Shield
Turning on Google reCAPTCHA on the WordPress login form using Shield

#3 Block IP Addresses After Detecting Multiple Failed Login Attempts

The previous 2 approaches deal with independent requests. They make no consideration for whether repeated login attempts came from the same place.

Since we’re now looking at the IP address of the failed login attempts, and if we spot more happening than we’d like, we block the IP address so they can’t try again.

Shield Security Pro uses the term “offence” to refer to “bad” actions taken by a visitor. Each time a visitor does something we don’t like, we increase their offence counter.

When that counter exceeds our limit, the IP address is blocked by Shield.

In this simple way, we can limit not only login attempts, but access to the site altogether.

How To Ensure Login Attempts With IP Address Blocking

It worth noting that with Shield you can handle the different types of failed logins however you want to.

If you think about it, there’s a difference between a failed login attempt when it uses a valid username, compared to if a non-existent username was used.

With Shield, you can decide exactly how to handle each situation. You can increment the offence counter, you could log it in the audit trail, or you could even block the IP immediately.

We leave this decision up to you because you know your sites best.

How will you know if it’s working?

You may have noticed that Shield doesn’t send you emails all the time. Does this mean it’s not doing anything?

Not at all.

You see, an email represents a huge tax on your time. Each time you receive one, you need to:

  • see it
  • open it
  • read it
  • process it
  • care about it
  • do something about it

Do you really have time for that? Wouldn’t you prefer your security services to just … handle it and leave you alone?

Of course you would. We certainly do, and that’s why we built Shield Security the way we have. We want Shield to be intelligent and automate as much of the hard work as possible, without bothering us about any of it, unless it’s absolutely necessary.

And the same applies here. When Shield blocks a nefarious login attempt, it logs it, and it wont bother you with it. The purpose is to protect your sites after all, it doesn’t need to show off.

Soon, with Shield 7.5, we’re going to amp-up our logging and statistics, so you’ll be able to see everything that goes on under-the-hood, and get the numbers on it too.

Conclusion and Summary

We’ve presented the powerful ways Shield lets you limit login attempts to WordPress. They each have their advantages over the others, but when combined together, they present the strongest login protection available.

All of these settings can even be applied to WordPress user registration and forgotten password requests.

There’s absolutely no reason to leave your WordPress login and registration pages open to attack and abuse.

Leave a Reply

Your email address will not be published. Required fields are marked *

×