Time and time again, when I would read an article about WordPress security or how to harden an install, I would see mentions of limiting the amount of times someone can try to log into an account. I’ve never put much thought into the idea but I’ve finally installed a plugin to help lessen the chance that someone will correctly brute force my password. By default, WordPress does not limit the amount of times a user can try to login with an incorrect username or password. Someone could use a script that tries a dictionary attack on the wp-login page if they know the administrator username to gain access. This is why it is very important to either delete and create a new administrator account after a successful install or place the default admin account into the Subscriber role.
The plugin I used is called Limit Login attempts. The plugin was created by Johan Eenfeldt and provides a simple way to limit anonymous login attempts. Limit login attempts is very easy to configure. I can edit how many retries are allowed, how many minutes the lockout should last, how many lockouts are needed before an even longer lockout time is put into place, and how many hours can go by before the retries are reset. For WPTavern, I’ve configured 3 retries, 20 minute lockouts, and 4 lockouts increase the time from 20 minutes to 24 hours. I can also view the number of lockouts that have been issued since the last time the counter was reset.
However, the thing I like most about this plugin is that I can tell it to notify me when someone has triggered a lockout. I’ve configured it to log the IP address and email me after 1 lockout. You can view the lockout log file at the end of the configuration page complete with the users IP address and the username they tried to login with. Not 24 hours after I installed this plugin did I receive a notification of a lockout.
As you can see from the image, someone tried four times unsuccessfully to log into WPTavern.com with the username of admin. I was quite surprised to see a lockout notification so soon after installing this plugin. I don’t keep a close eye on my log file so this is a good way of knowing this particular event is occurring. However, I’ve only received one lockout notification so far. I have to say, this is one of those types of plugins that everyone should have installed on their site, even if it’s just to be notified that someone is trying to break in.