You have a WordPress website with some authentication system (login & registration), but you are entirely unfamiliar with security issues that you and your users may run into? This article is definitely for you because I will try to address these issues and advise you on handling them and keeping the user’s data safe.

First of all, it’s essential to understand the whole authentication process and how servers handle login requests. When a user wants to authenticate himself and convince the server to let him in, he must prove that he is the genuine person and the account owner.

Security tab in WordPress

Today, most login systems use a primary user/password or email/password approach to secure their websites from unauthorized access. Still, since this is the most widely used authentication method, it became the primary target for hackers and malicious people to attack using different brute force techniques or cracking tools.

In addition, a big part of website security is hosting. It’s crucial to have a hosting provider that has your best interest in mind. Therefore, WPMU DEV hosting ticks all the boxes. It’s affordable, fast, secure, fully-dedicated, and the #1 rated WordPress host on TrustPilot. Get 20% off any of their plans here.

Generally, websites and WordPress are created to enable users to log into their accounts with an unlimited number of attempts. You might think that this is a great feature, but you’re mistaken. It is a perfect way for hackers to try to abuse your website and break into users’ accounts by attempting different user/password combinations.

They use pretty fast and sophisticated cracking tools that allow them to automatically check millions of different login combinations until they find the correct one. If you want to make your website look trustworthy and safe for users, you have to take security measures to approach and handle this problem that can expose your users to having their accounts hacked and abused.

Hacker stealing data

So, this security issue can be approached in different ways, however mostly when people want to handle multiple failed login attempts, they use loggers and tools which keep track of how many logins attempts an individual made. Based on that, you can block an IP of a particular user if he fails to provide the correct user and password combination for his account.

Generally, it is set up to three or four available attempts before the user’s IP address gets blocked on the website, and the user can no longer use the login page for a certain period. It is mainly done to prevent spam and bot logins, brute force, and DDOS attacks, which can do real damage to your website and business, as well.

Since this article is about WordPress, this security loop can be quickly taken under control by using plenty of free WordPress plugins. Therefore, in this article, I will be going through five free plugins that you can use to handle multiple failed login attempts for your WordPress website.

1. WPS Limit Login

WPS Limit Login

As its name says, the WPS Limit Login plugin adds up another layer of security to your website by providing a way to prevent login abuse or brute force attacks. So, WPS Limit Login tracks the user’s login attempts and bans the user’s IP address automatically if the attempt count reaches the number you defined previously.

It also informs the user on the login page how many login attempts are left before the account gets locked to prevent abuse. You have the option to whitelist or blacklist specific IPs, as well as the integrated feature to protect the WooCommerce login page if you are running an online store.

2. Defender Security – Malware Scanner, Login Security & Firewall

Defender Security

Defender Security – Malware Scanner, Login Security & Firewall is a WP plugin that provides several ways to secure your website. Besides ensuring your website from brute force or DDOS attacks, you can also use it to protect against SQL injections and XSS attacks. Specifically, this tool provides an excellent and neat way to block specific IPs or import a list of blocked IPs for login protection.

It blocks a user from accessing the login page after a series of incorrect login attempts. Still, it also provides integration to the reCAPTCHA system, which gives you a more effective security layer against login abuse and fraud.

3. Login LockDown

Login LockDown

If a user tries to log into the account and fails several times in a row, Login LockDown will lock and ban that IP range, preventing the users from that IP range from performing login requests for a while.

By default, it is set to a 1-hour lock after previously three failed attempts during five minutes. These settings can be changed in the options panel from your WordPress admin panel. Admins can whitelist or remove specific IPs from the ban list in the plugin’s panel.

4. Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms

Limit Attempts

Nothing much different from the previously mentioned plugins; Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms does the same job for you. If you have problems with spammers and login abusers, you can activate this plugin and let it protect your website from those kinds of security issues.

It will deny or allow specific IPs from accessing your website login page; you can receive notifications and optionally hide login/register/ forms from people whose IPs have been banned. Suppose you need more information about your website statistics related to these attacks.

In that case, Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms will present you with a list of blocked IP addresses, number of blockings, status, number of failed attempts, etc. You can even send customized messages to the user’s email whose IP was blocked due to the potential login abuse.

5. Loginizer


Loginizer, besides the standard login security improvements, also gives you Two Factor Authentication, Passwordless login, and reCAPTCHA features right out of the box. It also has over a million active users and installations.

By default, it locks an IP after three failed attempts for 15 minutes from accessing the login page, but if the user continues with entering the wrong credentials after the first lockout, the IP will be banned for 24 hours. You can customize error messages displayed on the screen to the users who get banned or blacklisted.


There you have it, our top solutions for when you can’t log in to your WordPress site. Check out all the plugins mentioned and choose one perfect for you!