WordPress Security
WordPress Security

Limit login attempts without a plugin?

How to protect WordPress login page without using a plugin


You can find plenty of comments and advice on that on the Internet. But is it real?

By default WordPress allows unlimited login attempts through the login form, sending special cookies, using XML-RPC call, and REST API calls. This allows passwords to be cracked with relative ease via brute force attack. Nowadays hackers and bots are constantly trying to log in to your WordPress site by guessing your admin password and passwords of other user registered on the site. So, if you want to protect your site without using plugin you need:

  1. Know PHP well.
  2. Know enough about authentication filter and action (built-in to the WordPress) to hook them. I recommend to start from hooks like ‘authenticate’ and ‘wp_login_failed’.
  3. Track post login form, XML RPC and REST API authorization requests, and yeah, don’t forget authorization cookies (are they valid?).
  4. Store somewhere all attempts with all attempted logins and all IP addresses to calculate when and what IP you need to block. I recommend using Transient API. Seriously. This is the easiest way. Of course, you can’t control it, but using it allows you do something without knowledge of SQL.
  5. Calculate time between unsuccessful login attempts for particular IP.
  6. Have a tool or PHP code to reset any of those counters and blocked customer IP. What if some legitimate customer will be blocked by chance?

Looks crazy? You have a second option. You can google and grab some code snippets from some blog in the Internet without any warranty and support.

Conclusion: You can find plenty of advice on how to limit login attempts without plugin on the Internet. But all advice is given by persons who don’t even know how WordPress authentication algorithm works exactly, including those nice guys from stackoverflow. But, anyway, you can do that, if you really don’t worry about security of your site because there is no option to do it right way without PHP coding skills and knowledge of the WordPress authentication mechanism.

If there’s something strange on your site who you gonna call?

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments

Leave a Reply to Gregory
Cancel Reply