Are you worried that hackers could break into your site?
By default, WordPress allows you to try an unlimited number of usernames and passwords to login to your site.
While this gives you a better login experience, it also gives hackers a chance to break into your site using “brute force attacks” where they make thousands of attempts to guess your login credentials.
In this post, we’ll show you how to limit login attempts on your site to block hackers from gaining access to it.
But first, let’s clarify what bruce force attacks are and why they’re such a serious problem.
What Exactly Is a Brute Force Attack?
Many people on the internet set common usernames and weak passwords as their login credentials. They select credentials that are easy to remember and take the least amount of effort to type.
For usernames, the most common ones are ‘admin’ or the user’s actual name. And passwords tend to be ‘123456’ or ‘qwerty’.
Hackers are well aware of this, and they program bots to find your site’s login page and then try a long list of commonly used credentials and different combinations of them.
These bots are capable of attempting hundreds of combinations in a matter of seconds. And when they guess the right one, they break into your site and cause major damage.
The best way to prevent these brute force attacks is by limiting the login attempts on your site. So when a user enters incorrect credentials, say 3 or 5 times, they are blocked.
Users will need to click the ‘Lost your password’ option to recover their password.
Having said that, limiting login attempts isn’t enough when it comes to blocking hackers and other threats.
You need to use a comprehensive security solution that will protect your website completely from such attacks. This includes CAPTCHA protection, 2-factor authentication, firewall protection, and IP blocklisting.
With this better understanding of brute force attacks, let’s get started on protecting your site.
Limiting Login Attempts on Your WordPress Site
The best way to limit login attempts and protect your site is by using Sucuri. It’s a total security solution that comes with all the security measures you need to protect your site.
The Sucuri Web Application Firewall detects fake browsers and bad bots and then automatically blocks them.
And it has a strong correlation engine that shuts down brute force attempts without affecting your website users.
Here’s how Sucuri blocks brute force attacks on your site:
- Limit login attempts – Users will get a maximum number of tries to enter the correct credentials before they are asked to reset their password
- Signature detection – Sucuri checks for known patterns of hackers and malware and blocks them before they reach your site.
- Bot and scan blocking – It identifies and blocks automated tools and brute force bots that attack your site.
- 2 Factor Authentication – You can add an additional layer of security on your site that requires users to provide a one-time password generated in real time.
- CAPTCHA and passcodes – It lets you add CAPTCHA protection to your login page, so bots will be unable to pass your login authentication. Or you can even require users to enter a static passcode.
- Geo blocking – If Sucuri’s firewall detects that most brute force attempts are coming from a particular location, you can block visitors from those IP ranges or even block an entire country from accessing your site.
- Allowlisting – You can also block every user from your login page and whitelist only your trusted team’s IP addresses.
Now, let’s set up Sucuri on your site to implement limited login attempts and other protective measures.
Step 1: Install and Activate Sucuri
Sucuri has a free security scanner available in the WordPress repository.
We recommend installing and activating this plugin on your site first. This will allow you to access and operate your security settings directly from your WordPress dashboard.
To get access to the powerful firewall that will protect your website from brute force attacks, you’ll need to sign up for the Pro version.
We recommend using the Pro plan which costs $299 per year. It gives you access to all the features you’ll need to block not just brute force attacks but other hacks like malware injections and DDoS attacks.
Once you’ve signed up and created an account with Sucuri, you can get started.
Step 2: Enable Sucuri Security Scanner
From your WordPress dashboard, navigate to the Sucuri » Dashboard tab.
On this page, you’ll need to enter your API key. To do so, click on the ‘Generate API Key’ button.
This will open a popup where your WordPress site and admin email are prefilled. You can change it if you like.
You’ll see a popup that says your site is successfully registered. You can head over to the Sucuri dashboard.
With that, your site has a security scanner active on your site. It will show you if your site is clean or not, and if you’re on any blocklists.
Step 3: Enable Sucuri Security Firewall
To enable the Sucuri firewall, navigate to Sucuri » Firewall (WAF) tab on your WordPress dashboard.
Here, you’ll need to enter your API key.
You can find this key in your account on the Sucuri website under the Settings » API tab.
Copy the key, enter it on your WordPress dashboard and save your settings. And that’s it! Your firewall is enabled.
Step 4: Modify DNS Settings
Now you’ll need to direct your traffic to the Sucuri firewall so that it can check it and filter out the bad elements. After it does that, it will route the traffic to your web hosting server.
To set this up, go to the Settings » General tab on the Sucuri dashboard.
First, you’ll see the easiest option which is Automatic Integration. If you have your web hosting login details, you can use this option.
You simply need to select ‘cPanel’ or ‘Plesk’ hosting. Most web hosts use cPanel, but you can check with your host’s support team if you’re not sure which one to use.
You’ll need to provide your hosting login details and it will integrate automatically.
If this doesn’t work for you, on the same page, you’ll see options to use Sucuri’s DNS servers or you can manually configure your own DNS servers.
Follow the instructions provided and update the IP address for the ‘A’ record of your site.
If you don’t understand what any of this means, no worries. You can contact your web host or domain registrar and they will guide you through it. Or you can also raise a ticket with Sucuri, and their team will help you change the DNS records.
Once complete, your traffic will be directed first to Sucuri’s’ firewall and then back to your WordPress hosting servers.
Changes to your DNS can take up to 48 hours to reflect but usually happen in a few hours.
Step 5: Monitor Your Site
Sucuri’s firewall will protect your site and block any attacks by hackers and malicious bots. And it will present you with reports on its dashboard such as blocked attacks, average traffic per hour, and traffic by country.
You should use these reports to monitor your site’s security and stay up-to-date on failed attacks.
Step 6: Whitelist User IPs (Optional)
In case you want to block all IPs from accessing your admin panel and allow only your team or authorized users, you can do this under the Access Control tab.
Here, you can add all the IPs you want to whitelist. Next, switch to the Security tab.
You’ll see an option to enable ‘Admin panel restricted to only Whitelisted IP addresses’.
Check this box and save your security options. Now only your whitelisted IPs can access your login page.
And that’s it! Sucuri will automatically apply login protection to your site. And not just that, your site will be protected against all kinds of malware and attacks.
We hope you found this post helpful. If you want to further improve the security of your site, we recommend reading:
- How to Perform a WordPress Security Audit (Step by Step)
- 9 Best WordPress Security Plugins Compared (2021)
- How to Choose a Secure Password for WP Admin [4 EASY Ways]
These posts can help you make your site’s security rock-solid so you can keep hackers at bay.