Introduction
By default, WordPress allows unlimited login attempts, making sites vulnerable to brute-force attacks. To protect your users and server resources, you can limit the number of failed login attempts—forcing attackers to wait or preventing them altogether.
Plugin Recommendation
While a Web Application Firewall handles this automatically, you can also install the Limit Login Attempts plugin to block IP addresses after a configurable number of failures. It thwarts automated cracking by rejecting further attempts for a set lockout period.
Troubleshooting and FAQs
Q: Login attempts aren’t being blocked—what should I check?
A: Ensure the plugin is active under Plugins. Then, clear any caching layers (site, object, or CDN) and retry to confirm settings apply.
Q: I use another security plugin—will this conflict?
A: It may. If you already have rate-limiting or firewall rules, disable overlapping features to avoid double-handling login failures.
