One of the major pitfalls of running a WordPress site is the continuous attempt to force a login through the administrator account. If you have noticed your site’s logs, you will see a lot of unwanted traffic coming from all over the world. Such attempts will try and target to crack admin login for the site.
How do I restrict login attempts on my WordPress site?
One of the best ways to try and bolster your WordPress site’s security is to not use the default ‘admin’ user name for administrator access to the WordPress site. This should be the first step to try and protect your site. It does not cost any money, and sets the hackers in a different direction altogether.
Aside from that, you could block login attempts on your WordPress site through security plugins that would block automated attacks to break into the site. As a default, WordPress allows unlimited login attempts to the wp-admin interface. Anyone with little knowledge of Brute-force tools can hack into the administrator accounts on the WordPress site. Therefore, it becomes imperative to control the number of login attempts on a WordPress site. Below, we will look at the five plugins that will help you block login attempts to your WordPress site.
WP Cerber continues to be one of the foremost choices. The plugin will allow you to block login attempts based on IP addresses and subnets. You could also define automatic block on login attempts beyond a certain number of incorrect logins. You may create an IP access list that will allow or disallow a single IP address, an IP address range or the entire subnet.
WP Cerber will help you to manage login attempts based on IP address or the network layer. It is one of the best protection against brute force attacks on your WordPress website.
WP Cerber is a very commonly used plugin. It is deployed on over 200,000 WordPress websites.
A free version of WP Cerber can be downloaded from this page. However, it does not allow you to block subnets or IP addresses from making login attempts on your WordPress website.
PRO versions allow expanded functionality on the WordPress site. You may download the PRO version of the plugin from this page.
Security and Malware Scan by CleanTalk
CleanTalk’s security plugin is deployed on over 10,000 WordPress sites as of today. It offers protection against brute force attacks on your WordPress website. The CleanTalk plugin works in different ways to block login attempts on the WordPress site.
Cleantalk will offer protection for your WordPress website in the following three ways:
- To enhance the security of your site, you can use the Security FireWall by CleanTalk, This will allow you to block access to your website by HTTP/HTTPS for individual IP addresses, IP networks and e-mails.
- BlackIPs Database — is the database of the IP addresses that have been used to launch spam and brute force attacks. The IP addresses are added to the blacklist based on malicious activity detected globally. IP addresses are removed from the blacklist as and when malicious activity stops from an IP address.
- Using the CleanTalk plugin, you can limit login attempts from specific countries. This is one of the most user-friendly features. If you notice login attempts from particular countries, you could block the whole country from accessing your site. I consider this approach as one of the simplest and most effective ways to control brute force attacks on the website.
CleanTalk is a free plugin. You won’t hear much about it. But, it does seem to have features that would offer protection against brute force attacks on a WordPress blog or website. Site security and IP Blacklists database are paid versions of the plugin. You could buy these addon features from this page.
Free version of CleanTalk Security plugin for WordPress website or blog can be downloaded from the page here.
Limit Attempts by BestWebSoft
BestWebSoft’s Limit Attempts plugin does what it advertises. It limits login attempts on a WordPress website based on IP addresses and malicious user activity. Limit attempts plugin is in use on over 9,000 WordPress websites. It offers protection against brute force attacks and spam attacks on your WordPress website and contact forms.
- Limit attempts will automatically block IP addresses that exceed limit login attempts
- Limit attempts will automatically add IP addresses that exceed blocks limit to the deny list
- You can add IP addresses to the Deny list or Allow list manually.
- It will also hide login, register, lost password forms for blocked or added to the deny list IPs
All these login limiting features are available for free on the Limit login plugin.
Should you wish to create an IP pool of addresses or add IP addresses to the blacklists, you may consider upgrading to the PRO version. The PRO version will also allow you to block country wise traffic. The dashboard on the PRO version will also show a summary diagram with login attempts statistic and prevented hacking attempts in the settings page and in a dashboard widget. It has to be one of the best justification for upgrading to the PRO version of Limit attempts plugin.
You can download the free version of Limit attempts plugin from this page.
Pro version is available through the BestWebSoft’s website. There are annual and lifetime plans that are available for the PRO users of the plugin.
Limit Login Attempts by miniOrange
miniOrange’s Limit login attempts plugin is a relatively new plugin. It is in use on over 2,000 WordPress websites. But, it is being actively developed and tested. The plugin is backed by a good and experienced development team of miniOrange. It is being offered for free as an open-source plugin.
To protect your site against Bruteforce attacks, the Limit login attempts plugin will track IP addresses for malicious attempts to login or break into your website. If unusual activity is detected on the site, the Limit login attempts plugin will block the login attempts and send in a notification to the administrator.
Advanced protection on the plugin will help you to block login attempts from specific countries or block IP addresses or IP address pools.
Using miniOrange’s plugin, you can block login attempts from IP addresses if the number of failed login attempts exceeds a pre-determined number of failed attempts.
Compared to the WP Cerber or Cleantalk, the miniOrange’s Limit login attempts plugin is a new plugin and it offers safety against hackers at the network level of IP addresses and countries. It does offer a preliminary protection against Bruteforce attacks on a WordPress site.
You can download the Limit login attempts plugin from the link. The plugin is open source and is available for free download.
DoLogin security is also an open source plugin. It is in use on over 2,000 websites. The DoLogin plugin will allow you to block login attempts based on failed time intervals. If the site gets failed login attempts over a peruid of 10 minutes, the login attempts will be automatically blocked.
Dologin protects against Bruteforce attacks on a WordPress website through
- blocking IP addresses from specific countries
- blocking malicious attempts that are detected on the basis of failed login attempts during a period of 10 minutes.
- blocking country wise login using geolocation data
- You can make a whitelist or blacklist of IP addresses to allow or disallow login to the WordPress site.
The free version of Dologin security can be downloaded from this page.
To protect your WordPress website against Bruteforce attacks, we will suggest adopting WP Cerber or CleanTalk plugins. CleanTalk is more cost friendly and offers good protection based on IP address blacklists, country specific blocking and IP address database. And, WP Cerber sees a lot of development to improve user experience. Both plugins offer good protection against Brute force attacks on your WordPress website.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.