Security Blog
Security Blog
Posted By Gregory

Limit login attempts without a plugin?

How to protect WordPress login page without using a plugin


You can find plenty of comments and advice on that on the Internet. But is it real?

By default WordPress allows unlimited login attempts through the login form, sending special cookies, using XML-RPC call, and REST API calls. This allows passwords to be cracked with relative ease via brute force attack. Nowadays hackers and bots are constantly trying to log in to your WordPress site by guessing your admin password and passwords of other user registered on the site. So, if you want to protect your site without using plugin you need:

  1. Know PHP well.
  2. Know enough about authentication filter and action (built-in to the WordPress) to hook them. I recommend to start from hooks like ‘authenticate’ and ‘wp_login_failed’.
  3. Track post login form, XML RPC and REST API authorization requests, and yeah, don’t forget authorization cookies (are they valid?).
  4. Store somewhere all attempts with all attempted logins and all IP addresses to calculate when and what IP you need to block. I recommend using Transient API. Seriously. This is the easiest way. Of course, you can’t control it, but using it allows you do something without knowledge of SQL.
  5. Calculate time between unsuccessful login attempts for particular IP.
  6. Have a tool or PHP code to reset any of those counters and blocked customer IP. What if some legitimate customer will be blocked by chance?

Looks crazy? You have a second option. You can google and grab some code snippets from some blog in the Internet without any warranty and support.

Conclusion: You can find plenty of advice on how to limit login attempts without plugin on the Internet. But all advice is given by persons who don’t even know how WordPress authentication algorithm works exactly, including those nice guys from stackoverflow. But, anyway, you can do that, if you really don’t worry about security of your site because there is no option to do it right way without PHP coding skills and knowledge of the WordPress authentication mechanism.

If there’s something strange on your site who you gonna call?

Last posts from WordPress security blog




I’m a self-employed developer who builds software products and services using WordPress for more that seven years. I enjoy partnering with others for interesting and challenging projects. If you’re interested in, feel free to contact me.

View Comments
There are currently no comments.