All WordPress website owners have to cope with so many challenges when it comes to site security. There are so many vulnerabilities to take care of.
There are so many bloggers out there who don’t know how to plug some leaking holes when it comes to website security.
While there are so many ways to break into a website with bad intensions, brute force attack is one of the most common ways through which hackers get into a website.
So what is a brute force (WordPress login) attack?
I would say WordPress has to have some form of layer security to prevent this because currently WordPress doesn’t limit the login attempts a user can make.
Anyone can try any number of times and probably succeed with logging into your website.
Your WordPress website’s login page is no secret! In WordPress you can access any website’s login page by typing the following URL:
When you are not logged in to your site, the wp-admin link will be automatically redirected to the wp-login.php link.
Since there is no upper limit for the login attempts hackers can use this as a doorway. They can simply guess your password and do multiple attempts or use some program to generate bunch of possible passwords and try logging.
In any case, the probability that someone can login to your site using brute force attempt is highly likely.
Let’s see how you can protect your site from brute force hacking.
Meet Login Lockdown – a plugin that secures WordPress Login attacks
There is a plugin for just about anything when it comes to WordPress. In order to add an extra level of protection to your WordPress website’s login page, there are lots of plugins.
One plugin I found highly useful and easy to use is Login Lockdown, which is a free plugin by the way.
Prevent brute force attacks on your WordPress site using Login Lockdown plugin.
Please refer to the video below for the tutorial on how to install and set up this plugin. Plus how it works in blocking the brute force WordPress login attempts.
The settings of Login Lockdown WordPress plugin
After you have installed and activated the plugin, go to Settings > and click on Login Lockdown.
In the options page you will see a set of settings options. Let’s discuss them one by one here:
Max login entries:
This is the number of allowed failed login attempts before the plugin blocks an ip.
For instance, if the user has tried 3 times with a wrong password or a wrong username, and if you have set the max login entries to be 3, then this will trigger blocking of that particular ip.
Retry time period restriction (minutes):
The time that denotes the rate at which the failed login attempts are allowed. The time is in minutes.
Lockout length (minutes):
This is the amount of time for which a particular ip will be blocked after the last failed attempt that resulted in the block.
For instance, if a particular ip has been blocked due to 3 (= max failed entries) failed attempts, another login attempt is possible only after this amount of time (in minutes).
Lockout invalid usernames:
This option will initiate a trigger to block the ip at the event of entering an invalid or non-existent username.
For instance if your site doesn’t have a user by the username “ana” and if someone tries to login to your site by entering “ana” in the username field, then the blocking action will be immediately triggered.
By default this is set to No. But if you want you can change it to Yes.
Mask login errors:
This is an option to let the (genuine) users know whether they have entered the incorrect username or incorrect password that resulted in the lock down.
So the next time they try, they can try and remember the correct username or the correct pass, whichever went wrong!
By default this is set to No, which means the plugin will display the error message. This is recommended. If you want, you can set this to Yes, but genuine users will not have more info on what went wrong.
Show credit link?
This will display a little notification below the login form > Login form protected by Login Lockdown.
Apart from giving credit to the developers, enabling this option will also give a heads-up to whoever is trying to login to your site with bad intentions.
Of course you can add a no follow attribute to the displayed credit, or you can choose to simply not display it.
I hope you found this information regarding Login Lockdown useful. If you have any questions, feel free to ask in the comments.
Here’s a screenshot after the plugin has locked down my ip after I’ve tried to login 3 times with wrong passwords:
I highly recommend you to use Login Lockdown so you can add an additional layer of protection to your site that prevents anyone trying to login via brute force method.