Do you suspect that hackers are attempting to gain access to your WordPress site? You have every right to be.

Hackers are guessing login codes and breaking into WordPress pages using trial and error methods. In reality, the WordPress login page is the most frequently attacked page on a WordPress site.

If a hacker gains access to your admin dashboard, they can take complete control of your website. They can infect your web with malware, create a backdoor, deface it, advertise and sell illegal goods, steal your users’ personal details, spam your tourists, and engage in other malicious activities.

Fortunately, you can secure your login page by restricting the amount of times a user can attempt to enter the correct credentials. We’ll show you how to restrict login attempts on a WordPress site in this guide.

TL;DR (short version)

You will discourage hackers from attempting to break into your WordPress account by restricting login attempts. Using a plugin is the simplest and most effective way to add this function on your web. MalCare should be installed on your website. It has firewall and login security built in. This protects the website from brute-force attacks.

What Is WordPress Limit Login Attempts?

WordPress gives you an infinite number of login attempts by default. You can try as many username and password combinations as you want.

Hackers are aware of this and take advantage of it. They begin by compiling a database of commonly used usernames and passwords, as well as stolen or purchased data. They then programme bots to visit WordPress sites and try thousands of username and password combinations in under a minute.

Hackers are able to break into several WordPress sites this way. This is known as a Brute Force Attack because thousands of login requests are sent to your website in a matter of minutes.

Hackers have a high success rate (approximately 10%) when using this tool, thanks to the fact that WordPress users often use poor login credentials. Although ten percent will seem to be a small percentage, considering the millions of WordPress pages, they can quickly hack into thousands of them.

You can avoid hackers and their bots in their tracks by restricting the amount of login attempts.

A user will only be allowed to enter the correct login credentials a certain number of times. You may, for example, grant three attempts. The user will be locked out of their account if they do not enter the correct credentials three times.

They will be given the following options for recovering their login credentials:

  • Please get in touch with the administrator.
  • By answering a series of questions, you can reset your password using the ‘forgot password’ option.
  • Verify their identity by using an OTP or email verification.
  • To show they are not a bot, they must solve a captcha.

These barriers will appear after a bot tries to log in three times. They won’t be able to move on to the next goal and they won’t be able to go any further.

As a result, this security measure will keep your site safe from hackers and save you a lot of trouble. After that, we’ll show you how to restrict the number of login attempts on WordPress.

How To Limit Login Attempts On Your WordPress Site?

Limiting login attempts on your WordPress site can be done in two ways:

  • Using a plugin (easy)
  • Manually (hard)

We’ll start by showing you how to use a plugin because it’s easy, fast, and error-free.

Limit Login Attempts Using A Plugin

On your WordPress account, you can use a number of plugins to allow restricted logins. So, how do you choose the best one?

Look for a plugin that is simple to instal and will simplify the operation. Also, make sure your plugin generates a report on the attempted attacks it has stopped so you can see if it’s really working.

To demonstrate how to restrict login attempts on your platform, we’ve chosen the MalCare Security Plugin. It satisfies the above criteria. It also protects the website at all times, rather than only restricting login attempts.

Your website’s CAPTCHA-based login attempts will be limited with MalCare. This means that if a user enters incorrect credentials three times in a row, they will be forced to solve a CAPTCHA.

The user will try to login again after solving the CAPTCHA. They can also recover their credentials using the Forgot Password? option.

Let’s get started:

Step 1: Install MalCare on your site. Activate the plugin and go to your WordPress dashboard to use it.

Step 2: Pick Secure Site Now after entering your email address.

Step 3: MalCare will take you to its own dashboard, where it will conduct an automated search of your website.

Step 4: Your site’s login attempts are automatically restricted. You’re probably curious how I use WordPress to restrict login attempts.

You will be barred from attempting to log in again if you use incorrect credentials.
When you choose Click here, you’ll see a CAPTCHA that looks like this:
You will log back into your site after solving the CAPTCHA. You can use the Lost your password? choice if you can’t remember your credentials. That is everything there is to it. Your website’s login attempts have been successfully capped. MalCare also instals a strong firewall to prevent bad bots or malicious traffic from accessing your web. It generates a report of all attempted logins. This can be found on the dashboard: It’s possible to see both unsuccessful and successful login attempts. You can also see which ones MalCare has flagged as suspect and automatically blocked. If you don’t want to use a WordPress plugin, we’ve detailed how to enforce WordPress cap login attempts without one. However, since this approach is difficult and prone to errors, proceed with caution.

Limit Login Attempts Manually

By manually inserting a snippet of code into a WordPress file on your blog, you can add minimal login security to your site. However, any time you make a manual adjustment to a WordPress file, you run the risk of breaking your site. The tiniest mistakes can lead to major issues.

If you decide to use this tool, we strongly advise you to make a full backup of your website first. In the event that something goes wrong, you can easily restore your backup copy and restore your site to its previous state. Install theBlogVault backup plugin on your site or select from one of the best backup plugins to take a backup.

Follow the steps below once you’ve made a backup copy:

Step 1: Go to your hosting account’s cPanel and log in. Select File Manager from the drop-down menu.

Step 2: Go to the public html folder and open it (or the folder in which your website resides). Go to wp-content > Themes in your WordPress dashboard.

Step 3: Go to your active theme folder and select it. Locate the functions.php file inside. To explain, we chose this folder because our active theme’s name is Personal Blogily.

Step 4: Pick Edit from the context menu by right-clicking. You’ll be able to make adjustments to the file once it’s opened. To the file, add the following code:

function check_attempted_login( $user, $username, $password ) {

if ( get_transient( ‘attempted_login’ ) ) {

$datas = get_transient( ‘attempted_login’ );

if ( $datas[‘tried’] >= 3 ) {

$until = get_option( ‘_transient_timeout_’ . ‘attempted_login’ );

$time = time_to_go( $until );

return new WP_Error( ‘too_many_tried’, sprintf( __( ‘<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.’ ) , $time ) );



return $user;


add_filter( ‘authenticate’, ‘check_attempted_login’, 30, 3 );

function login_failed( $username ) {

if ( get_transient( ‘attempted_login’ ) ) {

$datas = get_transient( ‘attempted_login’ );


if ( $datas[‘tried’] <= 3 )

set_transient( ‘attempted_login’, $datas , 300 );

} else {

$datas = array(

‘tried’ => 1


set_transient( ‘attempted_login’, $datas , 300 );



add_action( ‘wp_login_failed’, ‘login_failed’, 10, 1 );

function time_to_go($timestamp)


// converting the mysql timestamp to php time

$periods = array(









$lengths = array(








$current_timestamp = time();

$difference = abs($current_timestamp – $timestamp);

for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) – 1; $i ++) {

$difference /= $lengths[$i];


$difference = round($difference);

if (isset($difference)) {

if ($difference != 1)

$periods[$i] .= “s”; $output = “$difference $periods[$i]”;

This code will limit the login attempts to three times.

Step 5: Save and exit the file.

Users have three attempts to enter the right login credentials after this code is inserted on your website. They will be barred from accessing their account for a limited time if they do not comply.

The only time you can use this approach is if you want to avoid using plugins on your site and instead configure the function manually. Aside from that, using a plugin to perform this job for you is much simpler and faster.

That concludes our discussion. You’ve successfully restricted the number of login attempts on your site, preventing hackers and bots from gaining access!

Should You Limit Login Attempts On Your WordPress Site?

Anything you do on your WordPress platform has an advantage and a disadvantage. So, before you go ahead and allow Limit Login Attempts on your web, let’s go over the benefits and drawbacks. This will assist you in determining whether or not this feature is appropriate for your website.

Pros of Limit Login Attempts

  • Prevent Unauthorized Access

You can prevent hackers and bad bots from brute forcing your login page and gaining access by restricting login attempts on your web.

A temporary lockout is sufficient to dissuade a bot from visiting your site.

  • Prevent Traffic Surge and Server Crash

Bots attempt thousands of combinations of usernames and passwords in a brute force attack, as previously described. The bot sends a request to your web server with each attempt.

Your web server offers tools for your website’s tasks and features, including login requests. A bot will overload your server and cause it to crash if it sends thousands of requests in a minute to your site.

Visitors may be unable to access your site for a short period of time.

  • Prevent Web Host Suspension

Your web server has a finite amount of resources from which to run your website. If you use up all of your energy, your server will become overburdened.

If you’re on a shared hosting plan, this could have an effect on other websites on the same domain.

Your site is using too much server resources as bots try hundreds of times to log in. To prevent any effect on other websites on the server, your hosting provider will temporarily suspend… the domain. They do it to safeguard their own interests as well.

Cons of Limit Login Attempts

  • Account Locked – You could be locked out of your account if you forget your username and password. To recover your password, you’ll have to go through a verification process, which may take some time.

We can only think of one disadvantage. There is no other explanation why you should not secure your site’s logins. If you want to restrict the number of times you can log in to WordPress, you can use 2-factor authentication. Your WordPress login page will be protected as well. MalCare has a beta version of 2-factor authentication available, or you can use Google Authenticator.

WordPress restricted login attempts, on the other hand, is simple to set up and protects your site from hackers. When it comes to restricting login attempts and protecting your website, the benefits far outweigh the disadvantages.

Last Thoughts

WordPress is the world’s most common content management system (CMS). However, hackers are drawn to the site because of its success.

Hackers are actively targeting WordPress pages. As a result, it’s even more important that you take adequate security precautions on your website. Limiting login attempts is a good place to start, given that the WordPress login page is the most frequently attacked page.