Blog > Cyber Security / Guides > Failed Login Attempts in WordPress: 6 Simple Ways To Reduce Them

Failed Login Attempts in WordPress: 6 Simple Ways To Reduce Them

Discover how to reduce the amount of failed login attempts in WordPress with the Limit Login Attempts Reloaded plugin.

| December 29, 2023 | 12 Min Read

In the dynamic landscape of website security, safeguarding your WordPress site against unauthorized access is crucial. One common threat that website owners face is the risk of failed login attempts. According to Limit Login Attempts Reloaded, their premium users experience nearly 700,000 login requests per day, which most of them have malicious intent. In this article, we'll explore five simple yet effective ways to reduce the occurrence of failed login attempts and enhance the overall security of your WordPress site.

It's essential to understand that achieving complete elimination of failed login attempts is highly unlikely. While the strategies discussed in this article can substantially diminish the occurrence of failed login attempts, they may persist to some extent. More importantly, the focus should be on preventing unauthorized access even if login attempts occur. This is why it's imperative to enforce robust password and account policies in conjunction with employing security plugins such as Limit Login Attempts Reloaded.

What Is A Failed Login Attempt & How Does It Work?

A failed login attempt occurs when someone tries to access the login page of a WordPress website's admin panel and enters incorrect or invalid credentials (username and password) in an attempt to gain unauthorized access. These failed attempts are typically recorded by the Limit Login Attempts Reloaded plugin for security and auditing purposes. Here's how it works:

User Enters Credentials

When a user or an automated script attempts to log in to the WordPress admin area, they are prompted to provide a username and password.

Validation Process

WordPress checks the entered credentials against the user accounts stored in its database. If the provided username and password do not match any valid user accounts, the login attempt is considered a failed login.

Recording of Failed Attempts

The Limit Login Attempts Reloaded plugin logs failed login attempts, including details such as the IP address of the person or system making the attempt, the username used, and the time of the attempt. This information can be valuable for security analysis and monitoring. In the plugin, you can find this information in the logs, or the login firewall for premium users.

Why Is My Site Getting Attacked?

Brute force attacks on websites, including WordPress sites, can occur for several reasons. Understanding why your site is experiencing such attacks is essential for taking appropriate security measures to protect it. Here are some common reasons why your site may be targeted by brute force attacks:

Site Popularity

If your website is popular or has a significant online presence, it may attract more attention from attackers looking to compromise high-traffic sites for various purposes, such as spreading malware or gaining unauthorized access.

Default Settings

WordPress sites often have default settings that include common usernames (e.g., "admin"). Attackers may target these defaults in their brute force attempts, hoping to find an easy way in.

Weak or Common Passwords

If your website users have weak or commonly used passwords, attackers may see it as an opportunity to exploit weak credentials through brute force attacks. It is best practice to use passwords with a minimum of 16 characters with a combination of uppercase, lowercase, numbers and special characters.

Outdated Software

Running outdated versions of WordPress, themes, or plugins can make your site more vulnerable to attacks. Attackers may exploit known vulnerabilities to gain access to your site. This is why you should always enable auto-update on your plugins and themes.

Lack of Security Measures

Failing to implement security measures like login firewalls, intrusion detection systems, or security plugins can leave your site exposed to brute force attacks.

What is an Intrusion Detection System (IDS)?

IDSs are security tools that monitor network traffic or system activity for suspicious patterns or anomalies. They work by analyzing incoming data packets or system logs, comparing them against predefined rules or signatures, and alerting administrators to potential threats or attacks.

An example of a popular intrusion detection system (IDS) is Snort. Snort examines network traffic, identifies known attack patterns, and can trigger alerts or take actions to block malicious traffic, thus contributing to website security by proactively detecting and preventing unauthorized access or cyberattacks.

Visible Login Page

If your login page is easily accessible and visible to anyone, it becomes an easier target for attackers. While some expert recommend hiding or renaming the WordPress login page, it may cause your WordPress installation to malfunction.

Competitive Reasons

In some cases, competitors or individuals with a vested interest in harming your site may attempt brute force attacks to disrupt your business or reputation.

Random Targeting

Automated bots and scripts are constantly scanning the internet for vulnerable websites. Your site may be randomly targeted, even if it's not particularly high-profile. Are you using shared hosting? This is one of the more common ways your website is discovered.

How Can I Reduce Failed Login Attempts in WordPress?

In this section, we'll provide 6 simple ways to reduce your failed login attempts in WordPress. Before you implement, please review the login security checklist to be sure you have implemented the basic requirements such as strong passwords and account audits. The tips outlined here involve installing and activating the Limit Login Attempts Reloaded Plugin.

#1 - Adjust the Amount of Unsuccessful Login Attempts

The LLAR plugin allows you to set the number of unsuccessful login attempts before an attacker gets locked. By default, this value is set to 4. Consider reducing it to a lower value, such as 2 or 3, to limit the number of chances an intruder has to guess the correct credentials.

How to limit the number of unsuccessful login attempts in LLAR

Step 1 - Go to "Settings" in the LLAR WordPress Dashboard
Settings tab in the free version of Limit Login Attempts Reloaded.
Step 2 - Scroll to the bottom of the page where it says, "App Settings"
App settings in LLAR plugin.
Step 3 - Update the field where it says "Allowed Retries"
updating the amount of retries in the Limit Login Attempts Reloaded app.

This simple adjustment can improve your site's security. However, please note that lowering the amount of login attempts may cause more lockouts within your organization. If you are using the premium version of LLAR, you will be able to unlock your admins and users from the cloud app.

#2 - Deny Users by Country IP

Implementing a geolocation-based restriction can add an extra layer of security. Utilize security plugins or server configurations that allow you to block logins by country. This can help thwart potential attackers who may be attempting unauthorized logins from specific geographical locations.

While implementing this approach, be aware of potential drawbacks, including the possibility of blocking legitimate users. However, this concern may not be significant, especially for websites where only a few administrators regularly log in. To address this issue, create safelists that include trusted IP addresses and usernames, effectively exempting them from the blocking measures.

How to deny users by country in LLAR

To deny users by country, you will need to upgrade to the premium plus plan. The reason why this is a premium feature is because the country IP database is huge and constantly changing and we keep it up-to-date on a daily basis for you.

Step 1: Go to the Login Firewall tab inside the LLAR dashboard.
the login firewall tab.
Step 2: Scroll down to Country Access Rules.
deny countries tool.
Step 3: Click "Add" and then check each of the countries you want to deny. You can also "Allow Only" if your website only has users from one country logging in.
block logins by country in wordpress with LLAR plugin.

#3 - Deny All IPs Besides Your Own (For Static IPs Only)

For website owners with static IP addresses, restricting access to the WordPress login page to only your IP can be a potent security measure. This method ensures that only authorized users with the specified IP address can access the login page. However, it's crucial to keep in mind that this approach might not be feasible for users with dynamic IP addresses.

How to deny all IPs besides your own using LLAR

This can method can only be done in the premium version of the LLAR plugin.

Step 1 - Go to the "Login Firewall" tab in the LLAR plugin.
Step 2 - Scroll down to "IP Access Rules" and create a "Pattern". Add "*" in the field and select "Deny" from the dropdown, then click "Add".
adding deny all rule for IP access rules in the limit login attempts reloaded plugin.
Step 3 - Create another pattern, but enter in your IP address in the "Pattern" field, and select "Allow", then click "Add".
adding allow IPS for IP access rules in the limit login attempts reloaded plugin.

#4 - Block XML-RPC

XML-RPC is a feature in WordPress that allows external applications to communicate with your site. Unfortunately, it's also a common target for brute force attacks. Disable XML-RPC if you don't rely on it for specific functionalities. This can be achieved by simply upgrading to the premium version of LLAR. By default, it is turned on when you upgrade. You can find this feature by going to "Settings" in your LLAR dashboard, and scroll down to the "Limit Login Attempts Reloaded Cloud App" accordion.

block XML- RPC with the limit login attempts reloaded plugin.

#5 - Automatically Block IPs if They Get Locked Out

Enable an automatic IP blocking mechanism that permanently blocks IP addresses after a certain number of failed login attempts. Limit Login Attempts Reloaded offers this premium feature in their professional Plan. This proactive approach adds an extra layer of defense against malicious login attempts.

It is possible that legitimate IPs can get locked out more than often, but an admin can remove the IPs from the denylist.

How to automatically block IPs using LLAR

This feature is automatically turned on when upgrading to the professional plan. If for any reason it is too restrictive, simply turn it off by going to "Settings", and scroll down to the "Limit Login Attempts Reloaded Cloud App". Uncheck the box where it says "Auto IP Blocklist" and then save the setting.

automatically block IPs in wordpress with limit login attempts reloaded cloud app.

#6 - Create Unique Usernames and Allow Only

Brute force attackers often target default usernames like "admin" or "user." While they might eventually uncover your specific username, you can bolster your security by altering or deactivating default usernames. Generate distinctive usernames containing a combination of letters and numbers, and establish a "Login Access Rule" using the plugin. This rule exclusively permits login attempts for these custom usernames, rendering all other attempts unsuccessful.

How to create a login access rule in the LLAR plugin

To create a login access rule, you'll need to upgrade to Limit Login Attempts Reloaded Premium.

Step 1 - Go to the "Login Firewall" tab in the LLAR plugin.
Step 2 - Scroll down to "Login Access Rules" and create a "Pattern". Add "*" in the field and select "Deny" from the dropdown, then click "Add".
adding deny all rule for login access rules in the limit login attempts reloaded plugin.
Step 3 - Create another pattern, but enter in your unique usernames in the "Pattern" field, and select "Allow", then click "Add".
adding username allow rule in login access rules in limit login attempts reloaded plugin.

What If I Still See Several Failed Login Attempts?

We understand that it can be concerning seeing a lot of failed login attempts, but if all of these measures are in place, it will be virtually impossible for them to login unless they already know your username and password. This is why we highly recommend to never reuse your passwords for other accounts and services.

It's very common to still see failed login attempts after implementing these measures, and it's very difficult to completely stop these attacks without compromising your WordPress installation.

Another issue you may encounter is degraded performance. Due to the constant pings from IP addresses attempting to login, your local server will need to absorb these attacks. If you're using the premium version of LLAR, these attacks will be redirected to the cloud and neutralized. This will ensure your website is running at its optimal performance during elevated levels of attacks.


By implementing these six simple strategies, you can significantly reduce the risk of failed login attempts on your WordPress site. Remember that a combination of these measures provides a more robust defense against potential threats. Regularly updating your security practices and staying informed about emerging threats will contribute to maintaining a secure online environment for both you and your users.

Frequently Asked Questions

What Is a Failed Login Attempt in WordPress?

A failed login attempt occurs when someone tries to access the login page of a WordPress website's admin panel and enters incorrect or invalid credentials (username and password).

Why Is My Site Under Brute Force Attack?

Several factors can contribute to your WordPress site being targeted by brute force attacks. These include the site's popularity, default settings like common usernames, weak or common passwords used by users, running outdated software, lack of security measures, and the visibility of the login page.

How Can I Reduce Failed Login Attempts in WordPress?

There are many ways to reduce failed login attempts in WordPress. The most common ways are to adjust the amount of login limits, block IPs by country, block XML-RPC, and create unique usernames.

About the Author

Greg Fisher is the CMO and co-founder of Limit Login Attempts Reloaded, spearheading the company’s content and user acquisition.