How to Limit Login Attempts in WordPress – 2 Easy Methods

Did you know Wordfence blocked over 55 billion password attacks in 2024—yet most WordPress sites still allow unlimited login attempts?

WordPress powers 43.5% of all websites and 61.2% of the CMS market, but it allows unlimited login attempts by default. Many failed login attempts put extra strain on the server. This can lead to slower page load times and a higher chance of downtime. This can also lead to SEO penalties.

In this post, we will show you 2 ways on how to limit login attempts in WordPress. One method uses the Limit Login Attempts Reloaded plugin, which is simple and effective for limiting login attempts. The other method creates .htaccess rules to limit login attempts at the server level.

Let’s begin!

What are Login Attempts in WordPress?

Every time a user or bot tries to log in using the credentials, it counts as a login attempt. This includes attempts from any WordPress login interface. This represents the first attempt for /wp-login.php, the REST API, the XML-RPC endpoint, or a custom login form.

Why This Matters

• Security Risk:  WordPress has unlimited login attempts by default. This allows attackers to use bots for brute force and credential stuffing attacks.
• Server Load:  Each login attempt induces PHP processing and queries of the database, even for failed logins. In some cases, this may even cause a crash.
• API Vulnerabilities: WordPress’s XML-RPC and REST endpoints are very weak. A single request can boost brute-force attempts.
• Detecting Threats: If you notice many failed login attempts from one IP address in a short period, you might be facing a brute-force attack. WordPress doesn’t log or limit failed login attempts by default. You can’t see potential threats unless you use a plugin or change server settings.

For a full breakdown of essential security steps, check out our WordPress security checklist.

How to Limit Login Attempts in WordPress (Plugin Method)

Here is a brief overview of various plugins that you can use to limit login attempts in WordPress. In this guide, we will show you the steps using the Limit Login Attempts Reloaded (LLAR) plugin.

Step 1: Install & Activate LLAR

• Go to Dashboard, then Plugins, and click on Add New.
• Search for the plugin name Limit Login Attempts Reloaded, and click on Install Now.
• Then click on Activate to activate the plugin.
• You’ll see a new Limit Login Attempts menu entry appear.

Step 2: Configure Settings

• First, go to Limit Login Attempts, then the Settings option.
• Under the Local App section, configure the following settings:
  • Set allowed retries as 3, this will allow the user to retry for login at most 3 times. After 3 retries, the user will no longer be allowed to re-login unless a specified duration of time has passed.
  • Set the minutes lockout to 20 minutes (the default setting). This will let the user wait for 20 minutes after the maximum number of failed attempts ( in our case, it is 3 total attempts).
  • You will also get two other options: 4 lockouts and an increase in lockout time to 24 hours. This option will allow the user to re-login a maximum of 4 times within 24 hours. Once the user failed to retry even after 4 times, the user would need to wait for 24 hours for another try.
  • The last option: 24 hours until retries are reset, which will reset the login attempts after every 24 hours.
• Enable GDPR compliance for advanced security of your WordPress site, email alerts to get notified, and whitelisting trusted IPs (optional).
• Finally, select Save Changes.

Step 3: Test Lockout Mechanism

• To use Incognito mode in your browser, go to /wp-login.php. Then, keep entering the wrong credentials until you get locked out.
• You should see:
  “Too many failed login attempts. Please try again in 20 minutes.”
• If you enable alerts, you will also receive email alerts.

How to Limit Login Attempts in WordPress (.htaccess)

Advanced users can limit login attempts at the server level. This offers faster protection and reduces PHP load. Let’s walk through it step-by-step. 

Note: Be sure to back up your .htaccess and test in staging first.

Step 1: Access & Backup .htaccess

Use FTP via FileZilla, cPanel, or SSH to locate the root file (.htaccess) of your site. Just make sure that you download a backup of this file before starting to edit it. This keeps your site recoverable from mistakes.

Step 2: Insert Limiting Code

Paste this code snippet above the default WordPress rules:

<IfModule mod_rewrite.c>
  RewriteEngine On

  # Target login attempts on both wp-login.php and xmlrpc.php
  RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
  RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$

  # Whitelist trusted IP(s) – replace with your actual IP(s)
  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$

  # Count login failures via environment variable
  RewriteCond %{ENV:LIMIT_LOGIN_ATTEMPTS} >3

  # If limit exceeded, return 403 Forbidden
  RewriteRule ^.*$ - [R=403,L]
</IfModule>

<IfModule mod_setenvif.c>
  # Track failed attempts per IP
  SetEnvIf Remote_Addr "^(.*)$" LIMIT_LOGIN_ATTEMPTS=$1
</IfModule>

• At last, replace 123.123.123.123 with the whitelisted IPs.
• This configuration blocks IPs after 3 failures with a 403 Forbidden response.

Step 3: Save, Upload, Test

• Save the .htaccess file that you recently edited.
• Upload again using either FTP or cPanel.
• From a non-whitelisted IP, attempt more than three failed logins at /wp-login.php or /xmlrpc.php.
• You should receive a 403 Forbidden response—confirming that the lockout works.

Tip: If you find yourself locked out, you can rename or delete the file using FTP to correct any syntax errors.

Step 4: Additional Hardening Tips

Block XML-RPC to prevent API-based brute force attack:

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

Prevent scans by the author to stop username discovery:

RewriteCond %{REQUEST_URI} ^/author/  
RewriteRule .* - [R=403,L]

Protect the .htaccess file:

<Files .htaccess>
  Order allow,deny
  Deny from all
</Files>

Final Thoughts: How to Limit Login Attempts in WordPress

WordPress allows unlimited login attempts. This makes it vulnerable to automated attacks, which can harm security and performance. In this post, you will learn two robust ways to protect your site:

• Plugin Method: Limit Login Attempts Reloaded is a powerful, no-code tool. It’s trusted by over 2 million active users. It protects your login forms, APIs, logs, and alerts. Plus, it won’t slow down your site.
• Server-Level Method: Custom .htaccess rules quickly block threats at the server level. This means no PHP calls are needed. You can customize it completely with whitelists, XML-RPC rules, and author-scan protection.

These strategies match today’s security practices from top WordPress sources. They are part of a wider, proactive defense plan.

Think about adding more access control. You can also set up WooCommerce Google Authenticator (Two-Factor Authentication). It works well with LLAR.

When it comes to securing your WordPress site, remember it’s not set it and forget it—it’s a continuous road. Limiting login attempts stops brute-force and credential stuffing attacks. It also boosts performance, enhances user experience, and improves search rankings. 

You can do all this in a few minutes of setup. Don’t wait for an attack to take action; lock down your login now and protect your site with certainty.

Frequently Asked Questions (FAQs)