Skip to content

Adam Greenwell

Login Attempt Limiting

Login Attempt Limiting prevents brute-force password attacks by temporarily locking out IP addresses after too many failed login attempts. This is one of the most effective and essential security features for any WordPress site.

What is a Brute-Force Attack?

A brute-force attack is when an attacker (or automated bot) tries many password combinations to guess the correct one. Without rate limiting:

  • An attacker could try thousands of passwords per minute
  • Eventually, they might guess a weak password
  • Your server resources are wasted processing failed attempts
  • Your logs fill up with attack attempts

Login Attempt Limiting stops this by locking out the attacker’s IP address after a specified number of failures.

How It Works

  1. User enters incorrect username/password combination
  2. Failed attempt is recorded for their IP address
  3. Attempt counter increments
  4. If attempts reach the maximum threshold, IP is locked out
  5. Subsequent login attempts from that IP are blocked
  6. After the lockout duration expires, IP can try again
  7. Successful login resets the attempt counter

Important: Lockouts are based on IP address, not username. This prevents attackers from locking out specific users by repeatedly entering wrong passwords.

Configuration

Enable Login Attempt Limiting

  1. Navigate to Guard Dog → Login Security
  2. Find the Login Attempt Limiting section
  3. Check “Enable Login Attempt Limiting”
  4. Click Save Changes

Settings

Maximum Retries

The number of failed login attempts allowed before an IP is locked out.

Default: 5 attempts

Recommendations:

  • Lenient (7-10 attempts): For sites with users who frequently mistype passwords
  • Balanced (4-6 attempts): Recommended for most sites
  • Strict (2-3 attempts): For high-security sites or sites under active attack

Considerations:

  • Too lenient allows too many password guessing attempts
  • Too strict may lock out legitimate users who mistype
  • Consider your users’ technical proficiency
  • Factor in whether you use strong password requirements

Example scenarios:

AttemptsScenario
3User types wrong password 3 times → Locked out
5User types wrong password 5 times → Locked out
10User types wrong password 10 times → Locked out

Lockout Duration

How long (in minutes) an IP address remains locked out after exceeding maximum retries.

Default: 15 minutes

Recommendations:

  • Short (5-10 minutes): For lenient protection, better user experience
  • Medium (15-30 minutes): Recommended for most sites
  • Long (60+ minutes): For high-security sites, makes brute-force extremely slow

Considerations:

  • Longer lockouts make brute-force attacks less feasible
  • Shorter lockouts are more user-friendly for legitimate users
  • Balance security with user experience
  • Consider your tolerance for locked-out users contacting support

Attack math:
With 5 attempts every 15 minutes:

  • An attacker gets only 480 password guesses per day
  • Trying all combinations of a weak 6-character password would take years
  • A strong 12+ character password is essentially unbreakable

User Experience

What Users See When Locked Out

When a locked-out user tries to log in, they see:

Error message:

“Too many failed login attempts. Your IP address has been temporarily blocked. Please try again in X minutes.”

The login form:

  • Still displays normally
  • Users can enter credentials
  • Form submission is blocked with the above error
  • No indication of when they were locked out or attempts remaining

What Happens During Lockout

Users CANNOT:

  • Log in (even with correct password)
  • Access password reset (temporarily)
  • Register new accounts

Users CAN:

  • View the login page
  • Browse the public site (lockout only affects login)

After Lockout Expires

  • Attempt counter resets to zero
  • User can try logging in again
  • If they fail again, the cycle repeats

Best Practices

Recommended Settings by Site Type

Personal Blog:

Maximum Retries: 5
Lockout Duration: 15 minutes

Balanced protection without frustrating occasional visitors.

Business Website:

Maximum Retries: 4
Lockout Duration: 30 minutes

Stronger protection, reasonable user experience.

E-commerce or High-Value Site:

Maximum Retries: 3
Lockout Duration: 60 minutes

Prioritizes security, makes brute-force extremely difficult.

Site Under Active Attack:

Maximum Retries: 2
Lockout Duration: 120 minutes (2 hours)

Temporary strict settings to thwart ongoing attack.

Combining with Other Features

Login Attempt Limiting works best as part of a layered security approach:

Layer 1: Custom Login URL

  • Hides login page from bots
  • Reduces attempts by 90%+

Layer 2: CAPTCHA

  • Stops automated password guessing
  • Bots can’t try passwords at all

Layer 3: Login Attempt Limiting

  • Catches manual attacks or sophisticated bots
  • Provides hard rate limit

Layer 4: Two-Factor Authentication

  • Even if password is guessed, attacker can’t get in
  • Ultimate protection

Layer 5: IP Whitelist (optional)

  • Only specific IPs can even attempt login
  • Best for sites with fixed-location admins

Communication with Users

If you enable strict login limiting, inform your users:

Example notification:

“We’ve enhanced our site security. Please ensure you’re entering your password correctly. After 3 failed attempts, your IP will be locked out for 30 minutes.”

Consider:

  • Posting a notice on the login page
  • Sending an email to all users
  • Adding information to your site’s help documentation
  • Displaying attempt counter (requires custom development)

Monitoring & Management

Viewing Locked Out IPs

Currently, locked-out IPs are stored in the database. To view them:

Option 1: Activity Log

  1. Go to Guard Dog → Activity Log
  2. Filter for event type “Login Lockout Initiated”
  3. View which IPs have been locked out and when

Option 2: Database Query
Access your database and query the lockout table:

SELECT ip_address, lockout_expiry, attempt_count 
FROM wp_guard_dog_login_attempts 
WHERE lockout_expiry > NOW();

This shows currently locked-out IPs.

Manually Releasing a Lockout

If a legitimate user is locked out and needs immediate access:

Option 1: Wait

  • Easiest option
  • Lockout expires automatically after the duration

Option 2: Database Edit

  1. Access your database (phpMyAdmin or similar)
  2. Find the table: wp_guard_dog_login_attempts
  3. Find the row with the locked-out IP address
  4. Delete the row or set lockout_expiry to a past date
  5. User can immediately attempt login again

Option 3: Whitelist the IP

  1. Go to Guard Dog → Access Control
  2. Add the user’s IP to the IP Whitelist
  3. Whitelisted IPs bypass login limiting entirely

Clearing All Lockouts

To clear all current lockouts:

Database query:

DELETE FROM wp_guard_dog_login_attempts WHERE lockout_expiry > NOW();

Or clear the entire table (also resets all attempt counters):

TRUNCATE TABLE wp_guard_dog_login_attempts;

Technical Details

How Attempts Are Tracked

Login attempts are tracked in a dedicated database table:

Table: wp_guard_dog_login_attempts

Columns:

  • ip_address – The IP attempting login
  • attempt_count – Number of failed attempts
  • last_attempt – Timestamp of most recent failure
  • lockout_expiry – When the lockout expires (NULL if not locked out)

Storage:

  • Attempts are stored indefinitely (or until successful login)
  • Locked-out IPs remain in table until lockout expires
  • Successful logins reset the counter to 0

Performance Considerations

Login Attempt Limiting uses efficient database queries with caching:

  • Caching: Attempt counts and lockout status are cached (5 minutes)
  • Indexed queries: IP address column is indexed for fast lookups
  • Minimal overhead: Negligible performance impact
  • Scales well: Works efficiently even with thousands of lockout records

IP Address Detection

Guard Dog detects user IP addresses using WordPress’s standard IP detection, which checks:

  1. REMOTE_ADDR (most reliable)
  2. HTTP_X_FORWARDED_FOR (for proxies)
  3. HTTP_X_REAL_IP (for reverse proxies)

This works correctly with:

  • Standard hosting
  • CDNs (Cloudflare, etc.)
  • Reverse proxies
  • Load balancers

Lockout Bypass Scenarios

Login Attempt Limiting is bypassed for:

  • IP Whitelisted addresses – Whitelisted IPs never get locked out
  • Successful logins – Correct password resets attempt counter
  • Direct database manipulation – Admins can clear lockouts

Login Attempt Limiting still applies even with:

  • Custom login URLs
  • CAPTCHA enabled
  • 2FA enabled

These features work in layers – all protections are applied.

Troubleshooting

Legitimate Users Getting Locked Out

Symptom: Users report being unable to log in, even with correct password

Possible causes:

  1. User typing password wrong – Most common
  2. Password manager autofilling wrong password – Second most common
  3. Multiple users behind same IP (office/school) – Shared IP lockout
  4. User doesn’t realize they’re locked out – Trying repeatedly

Solutions:

  1. Increase Maximum Retries:
  • Go to Login Security settings
  • Increase from 3-5 to 5-7 attempts
  • More forgiving for typos
  1. Decrease Lockout Duration:
  • Reduce from 30 minutes to 10-15 minutes
  • Faster recovery from accidental lockouts
  1. Whitelist office/school IPs:
  • Get the static IP of the location
  • Add to IP Whitelist in Access Control
  • That IP won’t be locked out
  1. Clear specific lockout:
  • See “Manually Releasing a Lockout” above

Shared IP Environments

Problem: Multiple users share one IP (office, school, café)

Issue: One user’s failed attempts lock out everyone at that location

Solutions:

Option 1: Whitelist the IP

  • Best for controlled environments (your office)
  • Add shared IP to whitelist
  • No one from that IP gets locked out

Option 2: Increase limits

  • Raise Maximum Retries to 10-15
  • Accommodates multiple users making mistakes
  • Still provides protection

Option 3: Use 2FA instead

  • Disable Login Attempt Limiting
  • Require 2FA for all users
  • Better protection than rate limiting alone

Option 4: Combination approach

  • Whitelist known safe IPs (office)
  • Use lenient limiting for everyone else
  • Require 2FA for sensitive accounts

VPN or Proxy Users

Problem: User’s IP changes frequently or is shared with others

Effect:

  • User might be locked out due to others’ failed attempts on same VPN server IP
  • User’s failed attempts from one VPN server don’t count against them if they reconnect to different server

Solution:

  • VPN users should use 2FA (better security anyway)
  • If specific VPN IPs are known, whitelist them
  • Consider this trade-off when evaluating security vs. usability

ISP Dynamic IP Changes

Scenario: User’s ISP changes their IP address frequently

Effect:

  • User’s attempt count resets when IP changes
  • Could allow more attempts than intended
  • But also means they won’t stay locked out if IP changes

Impact:

  • Minimal security impact (ISP IPs change slowly, usually daily)
  • Actually slightly beneficial for user experience
  • Not a significant security concern

Lockout Not Working

Symptom: Users can keep trying to log in despite failed attempts

Possible causes:

  1. Feature disabled – Login Attempt Limiting not enabled
  2. IP is whitelisted – User’s IP on the whitelist
  3. Cache issue – Stale data being served
  4. Database table issue – Table not created or corrupted

Solutions:

  1. Verify feature enabled:
  • Check Guard Dog → Login Security
  • Ensure “Enable Login Attempt Limiting” is checked
  1. Check IP Whitelist:
  • Go to Access Control
  • Verify user’s IP isn’t in IP Whitelist
  1. Clear caches:
  • Clear WordPress object cache
  • Clear page cache if enabled
  • Test in incognito mode
  1. Verify database table:
  • Check that wp_guard_dog_login_attempts table exists
  • If missing, deactivate and reactivate plugin

Advanced Configuration

Integrating with Fail2Ban

For server-level protection, integrate with Fail2Ban:

  1. Configure Fail2Ban to monitor your web server error logs
  2. Set up a filter for WordPress login failures
  3. Fail2Ban will ban IPs at the firewall level
  4. Provides defense-in-depth with Guard Dog

Geographic Blocking

Combine with geographic IP blocking for enhanced protection:

  1. Use a Cloudflare firewall rule to block entire countries
  2. Use server-level GeoIP blocking
  3. Dramatically reduces attack surface
  4. Only viable if you know where legitimate users are located

Notification on Lockout

To get notified when lockouts occur:

  1. Monitor the Activity Log for “Login Lockout Initiated” events
  2. Use a plugin to send notifications for activity log events
  3. Or implement custom code using Guard Dog’s action hooks

FAQ

Q: Will this lock out attackers permanently?
A: No, lockouts are temporary. But it makes brute-force attacks so slow they become impractical.

Q: What if I forget my password and get locked out?
A: You can still use the “Lost your password?” feature to reset it. If that’s also locked, contact a site administrator.

Q: Can I whitelist my own IP to avoid lockouts?
A: Yes, add your IP to the IP Whitelist in Access Control settings.

Q: Does this protect against distributed attacks (many IPs)?
A: Each IP is tracked separately, so yes, but it’s less effective against distributed attacks. Use CAPTCHA to stop distributed bot attacks.

Q: Will this slow down my site?
A: No, the performance impact is negligible due to caching and indexed database queries.

Q: Can I see who’s been locked out?
A: Yes, check the Activity Log for “Login Lockout Initiated” events.

Q: What happens if two people in my office both forget their passwords?
A: If they’re sharing an IP, their failed attempts combine. Consider whitelisting your office IP.

Q: Does this work with WooCommerce login?
A: Yes, it protects all WordPress login attempts including WooCommerce.

Q: Can advanced attackers bypass this?
A: They could distribute attacks across many IPs, but that’s expensive and slow. Combined with CAPTCHA, it’s very difficult to bypass.