How to Limit Login Attempts in WordPress (With & Without a Plugin)

No matter the type or size of your site, you need a good security plan in place to keep hackers out. One area you need to pay special attention to is your login page. Attackers often use a technique called “brute force attacks” to guess usernames and passwords until they stumble across the right combination and get into your site. Thanks to bots, they can try thousands of combinations a minute.

One easy solution is to limit the number of times someone can try to log in. If they fail too many times, they get locked out for a set period of time. 

This guide walks you through how to limit login attempts with and without a plugin. You’ll also find tips to protect your site without locking out real users.

Why you should limit login attempts

By default, WordPress allows people to attempt to log in as many times as they want. While this is helpful if a legitimate user forgets their password, it also enables hackers to use bots to test thousands of usernames and passwords each minute.

But by limiting login attempts, you can:

• Stop bots from guessing your password through endless login attempts.
• Protect your server from becoming overloaded due to brute force attacks.
• Buy you time to spot and block bad IP addresses.
• Add a layer of security with very little effort.

This does not replace other important measures — like using high-quality passwords — but it is an important part of a quality security strategy.

How limiting login attempts works

When you limit login attempts, you set the maximum number of tries for each user or IP address. If someone enters the wrong password too many times, you can:

• Block them for a short period of time.
• Add an IP address to a temporary block list.
• Allowlist administrator IP addresses so you never get locked out.

You can adjust these rules to balance safety and ease for real users.

How to limit login attempts with a plugin

Jetpack offers brute force attack prevention for free or as part of the comprehensive Jetpack Security plan. It’s super simple to set up and runs automatically in the background to block malicious traffic before it even reaches your site — no work required on your end.

Here’s how to set it up:

1. Log in to your WordPress dashboard and navigate to Plugins → Add plugin.
2. Search for “Jetpack” and click Install now → Activate.
3. A setup wizard will appear where you’ll connect your site to your WordPress.com account. You’ll also get a chance to create one if you don’t have one already. 

Brute force attack protection will be activated automatically. However, if you’d like, you can customize the settings to fit your needs. Simply follow these steps:

1. In your WordPress dashboard, go to Jetpack → Settings → Security.
2. Scroll down to the Brute force protection section. There, you can toggle the feature on and off.
3. Now, find the Always allowed IP addresses section. There, you can add IP addresses that you never want blocked. Generally, you should only do this for administrator accounts.
4. Your settings will save automatically.

How to limit login attempts without a plugin

If you want even more granular control over your brute force attack prevention, you can set this up manually. Note that you should only do this if you’re used to working with code. You should also make sure that you have a full site backup in place before proceeding. 

1. Add code to the functions.php file

One method is to add a few lines to your theme’s functions.php file. Here’s an example:

function limit_login_attempts() {

  $max_login_attempts = 3;

  $lockout_time = 20 * MINUTE_IN_SECONDS;

  $ip = $_SERVER['REMOTE_ADDR'];

  $attempts = get_transient('login_attempts_' . $ip);

  if ($attempts === false) {

    $attempts = 0;

  }

  if ($attempts >= $max_login_attempts) {

    wp_die('Too many login attempts. Try again later.');

  }

  add_action('wp_login_failed', function() use ($ip, $attempts, $lockout_time) {

    $attempts++;

    set_transient('login_attempts_' . $ip, $attempts, $lockout_time);

  });

}

add_action('init', 'limit_login_attempts');

Always test on a staging site first. A small mistake can lock you out of your own dashboard or break your site.

2. Use .htaccess rules

If your server uses Apache, you can protect login attempts with .htaccess rules. Add this to your .htaccess file:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^YOUR_IP_ADDRESS$

RewriteRule ^(.*)$ - [R=403,L]

</IfModule>

Replace YOUR_IP_ADDRESS with your own, which blocks everyone except you. While this is a good option if you’re the only one who needs access to your site, it’s not a good solution for membership sites, forums, ecommerce stores, and other types of websites with a variety of users.

Extra tips for better login security

Limiting login attempts is a strong start but should be part of a holistic security strategy, which includes:

• Use strong passwords: Ensure that every user, especially administrators, use strong passwords with a combination of letters, numbers, and symbols. 
• Turn on two-factor authentication: This requires a one-time code sent to your phone in addition to your standard username and password. 
• Update often: Always update WordPress core, along with your themes and plugins.
• Use a web application firewall: A firewall blocks malicious traffic from reaching your site.
• Prevent spam: Block spam from your comment sections, contact forms, and more.

Want more information? Check out:

• Our full guide to protecting your login page. 
• Our resource with 28 WordPress security best practices.
• The full Jetpack Security plan, which includes everything from a firewall and spam protection to malware scanning and real-time backups.

What to do if you get locked out

If you accidentally block yourself from accessing your site, you can:

• Wait for the lockout time to expire.
• Disable your security plugin via FTP or your hosting file manager.
• Remove or edit any custom code through FTP or your hosting dashboard.
• Ask your host’s support for help, if necessary.

How Jetpack Security stops brute force attacks

Want a full security suite that handles the hard work for you? Give Jetpack Security a go. Jetpack’s brute force protection feature:

• Automatically blocks bad IPs used by botnets and hackers.
• Provides a count of total attacks stopped in your dashboard.
• Gives you the option to allowlist safe IPs so you don’t lock yourself out.
• Offers a one-click setting to turn protection on or off.

But brute force protection is just one element of Jetpack Security. You’ll also get access to real-time backups and malware scans, advanced spam protection, a web application firewall, an activity log to monitor what happens on your site, and one-click fixes for common security problems and vulnerabilities. 

In a single tool, you get advanced security features for your entire site that are easy to turn on and work in the background so you never have to worry. Learn more about Jetpack Security here.

Frequently asked questions

What is the best number of login attempts to allow on WordPress?

Allowing 3 to 5 failed login attempts is a good setting for most websites. This amount provides a strong defense against automated bot attacks. It is also flexible enough to avoid locking out real users who may have simply forgotten their password.

If you manage a website with highly sensitive data, such as an ecommerce store, you might choose a stricter limit of 2 or 3 attempts. For a personal blog, 5 attempts is usually fine. This setting creates a good balance between security and user convenience.

How long should a WordPress login lockout period be?

A lockout period of 20 to 30 minutes is a good starting point. This duration is long enough to stop an ongoing brute force attack and disrupt a bot’s process. It is also short enough that a legitimate user will not be overly inconvenienced.

Is limiting login attempts enough to fully secure my WordPress website?

No, limiting login attempts is just one important part of a complete website security strategy. It does an excellent job of protecting your login page, but you need additional measures to protect your entire site. You should always use strong, unique passwords for all user accounts. Activating two-factor authentication (2FA) adds another critical layer of security.

Using a comprehensive security plugin with a web application firewall (WAF) can block malicious traffic before it reaches your site. Keeping WordPress core, plugins, and themes updated is also vital for patching security holes.​

What is the difference between limiting logins and two-factor authentication (2FA)?

Limiting logins blocks an attacker after they make too many incorrect password guesses. Two-factor authentication requires a second piece of information to log in successfully. Limiting login attempts is a reactive security measure that stops an active attack.

In contrast, 2FA is a proactive security measure that strengthens the login process from the very start. With 2FA enabled, a stolen password is not enough for someone to access your account. They would also need a time-sensitive code from your mobile device or email. Using both methods together provides extremely strong login protection.

What does a user see when they get locked out of a WordPress site?

The user will typically see an error message explaining that they have made too many login attempts and must wait before trying again. The specific message depends on the plugin or code being used.

A good error message clearly states that attempts are limited for security purposes and shows how long the lockout period will last. For instance, the message might say, “Too many failed login attempts. Please try again in 20 minutes.” This informs the user what is happening without revealing any sensitive information that could help an attacker.

Should I also change my WordPress login URL?

Yes, changing your login URL is another effective security step that works well with limiting login attempts. By default, every WordPress login page is located at a standard URL like /wp-admin or /wp-login.php. Attackers and bots know this, so they target these URLs directly.

Changing your login URL to something unique and hard to guess makes it much more difficult for automated bots to find your login page. This technique blocks a huge number of low-level, automated attacks and adds an extra layer of protection to your website.