Review Of The Limit Login Attempts Plugin

Time and time again, when I would read an article about WordPress security or how to harden an install, I would see mentions of limiting the amount of times someone can try to log into an account. I’ve never put much thought into the idea but I’ve finally installed a plugin to help lessen the chance that someone will correctly brute force my password. By default, WordPress does not limit the amount of times a user can try to login with an incorrect username or password. Someone could use a script that tries a dictionary attack on the wp-login page if they know the administrator username to gain access. This is why it is very important to either delete and create a new administrator account after a successful install or place the default admin account into the Subscriber role.

The plugin I used is called Limit Login attempts. The plugin was created by Johan Eenfeldt and provides a simple way to limit anonymous login attempts. Limit login attempts is very easy to configure. I can edit how many retries are allowed, how many minutes the lockout should last, how many lockouts are needed before an even longer lockout time is put into place, and how many hours can go by before the retries are reset. For WPTavern, I’ve configured 3 retries, 20 minute lockouts, and 4 lockouts increase the time from 20 minutes to 24 hours. I can also view the number of lockouts that have been issued since the last time the counter was reset.

However, the thing I like most about this plugin is that I can tell it to notify me when someone has triggered a lockout. I’ve configured it to log the IP address and email me after 1 lockout. You can view the lockout log file at the end of the configuration page complete with the users IP address and the username they tried to login with. Not 24 hours after I installed this plugin did I receive a notification of a lockout.

As you can see from the image, someone tried four times unsuccessfully to log into WPTavern.com with the username of admin. I was quite surprised to see a lockout notification so soon after installing this plugin. I don’t keep a close eye on my log file so this is a good way of knowing this particular event is occurring. However, I’ve only received one lockout notification so far. I have to say, this is one of those types of plugins that everyone should have installed on their site, even if it’s just to be notified that someone is trying to break in.

9 Comments


  1. I use Limit Login Attempts – choosing it over other options primarily for the email notification.

    Report


  2. @Chip Bennett – I think that other plugin people mention is called Login Lockdown. I tried looking for it in the plugin repository but decided to give this one a try and it works as advertised. The email notification is pretty slick.

    Report


  3. I have always thought this limit login attempts feature should have been added to the core.

    Report


  4. @Martin – agree! This should be fairly simple to implement and could add a lot to the overall security for everyone using WP.

    Report


  5. Nice review Jeff. As I have been working mostly in MU for the last couple years, and with the merge on the horizon, I wonder if there’s any interest in this developer making this MU compatible? What I mean is…I have an MU installation that has five sites (blogs) and I will be adding more regularly. It would be nice not to have to activate and configure this plugin on each individual site every time I create a new one.

    Just a thought, hopefully the dev will read this and report any interest (or lack of).

    Great review!

    Report


  6. Hi Jeffro,

    Sounds like a good solution, especially the nice touch of emailing you about lockouts.

    Personally, I password protect my wp-admin folder, which means they can’t even get to my login form (without entering a separate password). It means two passwords to enter, but lets me sleep better at night.

    Still, I’d like to know when someone tried, which I can’t currently…

    Report


  7. @Nicolas – Yep your right, not the hardest thing to add to the core.

    A lot of CMS and forums already have this type of feature built in. Simple Machines, PHPBB and I think Joomla does it too…

    Report


  8. I am glad that you considered adding this plugin Jeff. We were getting a lot of these, so we took it a level further and put an IP restriction as well.

    Report

Comments are closed.