There are several ways to protect your WordPress website blog from unauthorized access.
Here I introduce a small but fine plugin called Limit Login Attempts Reloaded, which locks out the corresponding user for a defined period of time after a defined number of failed login attempts.
Of course, there is no 100% protection against unauthorized persons. For starters and smaller websites, this plugin should be sufficient. However, over time you should take additional security measures to protect your WordPress website.
Limit Login Attempts Reloaded
Limit Login Attempts Reloaded is a free easy-to-use and, for EU citizens, privacy-compliant WordPress plugin that adds extra security to your website.
Only the activation of the plugin is sufficient for website protection. If you want, you can make further settings and/or make the plugin compliant with the EU General Data Protection Regulation (GDPR).
Limit Login Attempts Settings
After activating the plugin, the settings can be found under the menu item Settings in WordPress. Here is a screenshot with my settings:
I have not really changed much in the default settings. Only an additional check mark in GDPR compliance and in the e-mail notification, I have set. For the screenshot, I temporarily replaced my real email address with the example email address displayed there.
I think for the beginning these settings are sufficient. I find the email notification important so I know when and how often potential intruders try to hack my site.
If you scroll even further down the plugin settings, you can allow both a whitelist and a blacklist for specific IP addresses to be permanently accessed (infinite login attempts) or permanently locked out. Since IPs are constantly changing hands, you should be careful with these settings and at best leave the fields blank if you have no idea of the matter.
Do not forget to click on the button “Save Options” at the bottom of the page after changing the settings!
Testing the plugin
In the self-test, the WP-Login looks like this, if you enter the wrong login data for the first time:
After the first 4 failed attempts, I was locked out for 20 minutes:
After being locked out 4 times for 20 minutes in a 12-hour period, I was locked out for 24 hours:
In the time in which one was locked out, it brings nothing to try to log in. Even if you enter the correct login data, one of the 2 above last error messages will be displayed until the lock has expired.
Statistics and log
After I excluded myself while testing the plugin, I see the following in the Limit Login Attempts plugin statistics:
The lockout log now shows me the following:
As you can see, the IP is displayed encrypted. This is because I have previously checkmarked the GDPR compliance.
I have tested the free Plugin Limit Login Attempts Reloaded, it works fine and I use it myself. A clear recommendation from me!
At the latest after having received many email alerts about lockouts or creating a larger website you should worry about further security measures such as installing a firewall or password securing the WP login using the htacess file.