How to Limit Login Attempts in WordPress

WordPress is the most popular CMS and has millions of users over the internet. It comes very easy to create a website and doesn’t require any coding skills. But having a website is not the end. You have to maintain your site as well. By default, WordPress allows users to change “username” and “password” many times as they want. This way many hackers use some scripts or tools to crack your password, this is also called “Brute Force Attack“. So the first thing you need to do is Limit Login Attempts in WordPress Site.

So in this tutorial, I will share how to Limit Login Attempts in WordPress to Protect from Brute Force Attack.

Why you need to Limit Login Attempts in WordPress?

WP Cerber Example

In the internet, anything can get hacked anytime and WordPress is not an exception as it is getting more popularity, so it became a target for hackers. As we already mentioned that WordPress doesn’t limit for changing “username” and “password”, so users can change both “username” and “password” many times as they want. It is an example of Brute Force Attack in WordPress. This way hackers continuously try many different combinations of “username” and “password” to gain unauthorized access. If your password is poor, the higher chance of your site is getting hacked

There are many WordPress users who still use “Admin” as username and also a short password that is easy to remember. But on the other hand, it also gets more easy for hackers to crack your password. So it is mandatory that you change your “username” and use a complex password. But it is not enough though. So you need to Limit Login Attempts in WordPress to Protect from Brute Force Attack.

By using Limit Login Attempts in WordPress, you can set the maximum number of incorrect “username” and “password” inputs from the same IP address. If the user exceeds the limits, the user’s IP will be blocked for the particular time that based on your settings.

How to Set Limit Login Attempts in WordPress

There are many WordPress Plugins available by which you can set Limit Login Attempts. But we will show you the best WordPress Limit Login Attempts plugin and also show you how to Limit Login Attempts in WordPress to Protect from Brute Force Attack.

Cerber Security & Limit Login Attempts

Cerber is one of the best WordPress security Plugin that allows you to Limit Login Attempts in WordPress site. It defends your WordPress site against brute force attacks by limiting the number of login attempts through the login form. When a user exceeds the limits, the plugin blocks the user’s IP. From the plugin settings, you can also check how many IPs got blacklisted. This plugin also allows you to add reCAPTCHA in your registration form to prevent SPAM registrations.

From the plugin settings, you can also check how many IPs got blacklisted. This plugin also allows you to add reCAPTCHA in your registration form to prevent SPAM registrations. Most of all this plugin is good for WordPress security and can protect your site from Brute Force Attack in WordPress.
Cerber Security & Limit Login Attempts

Key Features:

  • Limit Login Attempts when logging in by IP address or entire subnet.
  • It can monitor total logins that are made by login forms.
  • Permit or restrict logins by White IP access list and Black IP access list.
  • You can create custom Login URL by renaming wp-login.php.
  • Hide wp-register.php, wp-signup.php and wp-login.php from your site.
  • Disable WP REST API.
  • Can set a custom number of limit for incorrect logins.
  • reCAPTCHA available for both WooCommerce and WordPress forms.
  • Receive notifications by email.
  • Disable automatic redirecting to login page.
  • and many more…

How to Setup Cerber Security & Limit Login Attempts

First of all, go to your WordPress Dashboard> Plugins> Add new. Search for “Cerber Security & Limit Login Attempts” and install this. 

WP Cerber Security

After activating this plugin, go to Settings> WP Cerber. You will be redirected to WP Cerber Security Dashboard. Now click on “Main Settings” tab as I have shown below.

Main Settings

From the “Main Settings” tab, you can set the total number of incorrect attempts that a user can use. By default, WP Cerber Security allows 3 retries in 60 minutes and 60 minutes Lockout duration. For example, if a user enters total 3 times incorrect “username” and “password” in 60 minutes, then the user’s IP will get ban for 60 minutes. You can also change the numbers as you want.

You will receive email notification if the number of active lockouts above 3.WP Cerber Main Settings

At below, from the “Custom Login Page” option you can create Custom Login URL and block direct access to wp-login.php.


Access Lists

In “Access Lists” tab, you can see which IPs are blacklisted and you can also manually add and remove any IP that is listed here.

WP Cerber Security Access Lists



In the next tab, you can add usernames that are not allowed to log in or register or if any IP address tries to use those restricted usernames, they will be blocked immediately.WP Cerber Security Users



This plugin allows you to add reCAPTCHA in WordPress registration form, lost password form, login form and comment form.

Before you start using reCAPTCHA, you have to obtain Site key and Secret key from Google reCAPTCHA. Click here to get your keys. After that, add the keys in the empty fields that I have shown below and enable the options that you want. Now click on save changes.




By using Tools, you can export setting and can upload on another site. You can also choose between Settings and Access Lists that you want to export or import.WP Cerber Tools



From the WP Cerber dashboard, you can see users logging activity and also see if any user got blocked. From the left side drop down menu, you can check all activities.

WP Cerber Activity



Brute Force Attack is a common attack for hackers nowadays. As WordPress getting more popularity day by day, so it became the target for hackers. They always try to crack user’s password by Brute Force Attacking method. Just wonder, if any big site gets hacked and what will happen.

It is better to take your site’s security as seriously before it gets hacked. So you should Limit Login Attempts to protect from Brute Force Hacking.

I hope this tutorial helped you to Limit Login Attempts in WordPress. This way you can protect your WordPress site from Brute Force Hacking. If you have any problem or any question, please let us know by leaving a comment below. You can connect with us on  Facebook, Twitter, Google+.


Related articles,

*This post may have affiliate links, which means I may receive a small fee if you choose to purchase through my links (at no extra cost to you). This helps us to keep WPMyWeb up and running and up-to-date. Thank you if you use our links, we really appreciate it! Learn more.

Sharing is Caring
Jyoti Ray

Jyoti Ray is the founder of He writes about Blogging, WordPress tutorials, Hosting, Affiliate marketing etc. He mostly spends times on blogging, reading books and cooking.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
blumen verschicken Blumenversand
blumen verschicken Blumenversand
Reinigungsservice Reinigungsservice Berlin
küchenrenovierung küchenfronten renovieren küchenfront erneuern