Limit Login Attempts Plugin For WordPress
Posted by Mitch Mitchell on Mar 13, 2017
This post about the Limit Login Attempts plugin for WordPress blogs was initially written back in 2009. However, at that time I didn’t really talk all that much about how it worked or its settings, nor did I put images on my blog back then.
This is one of those things where, based on a lot of things I’ve been reading, it’s not only good to republish a piece, since most of the content is changing, but upgrading it so that it reflects more of what I want to tell you about since it’s still pertinent to our needs and security.
As stated before, the plugin is called Limit Login Attempts, and its purpose is to dissuade hackers from attempting to use their nefarious software from gaining access to our blog’s username and password. I keep coming across more folks who’ve had their blogs hacked, including some of the more famous names, and there’s usually two ways their sites get hacked. One is that a hacker’s found a backdoor way of getting in, possibly via old themes you’re not using anymore that you didn’t remove from your Appearance tab. The other is them figuring out your username and password by hitting it multiple times with their bots.
Most of us are too lazy to change our username from Admin, or forget to change it to something stronger when we first create blogs; heck, many don’t even know they can do that.. I used to be bad at this, but I’ve taken care of both that and my password with my newer blogs. Still, against automated software, you need something stronger to protect your property. That’s why I love this plugin so much.
Obviously, the first thing you have to do is install it via the install plugins link. It should pop up pretty quickly, and you should feel pretty safe using it since. One thing that violates my norm is that it hasn’t been updated in about 5 years, but it’s been uploaded way over a million times and people are still using it. I read some of the latest reviews and it seems that most people love it, but nothing’s ever 100%. However, people who are having problems with it either tried to modify it or have already been hacked, which is a totally different issue.
As you see in the image above, the first two things you get are options you don’t have to take any interest in. They’re stats that tell you how often idiots have tried to get into your blog, which I’ve never reset, and how many active bots are trying to get in now. I have to admit it’s freaky realizing that 34 of these morons are trying to break into my account right now; it’s not going to happen in their lifetime. 🙂
Before I go any further I need to warn you that whatever settings you set also apply to you. So, you’ll either need to feel confident in knowing and typing correctly your username and password unless you have it set to automatically put it in on your browser, which you probably don’t have set up if you’re doing it away from home. Just so you know, if you lock your silly self out (because you’ll feel pretty silly if it happens), you can always get back in by FTP’ing into your account on the back end, deleting the plugin, and once you get back into your blog adding the plugin and starting again.
You need to decide how many login attempts you’ll allow before it shuts down for a certain number of minutes. It’s defaulted to 4, but I’ve made mine 3 times for this blog since it’s my most popular. I have it on 4 times for my business blog and all my other blogs 5 times because I’ve been known to forget what those passwords are; sigh! lol
The second is how long you want to make people wait before they can try it again if they get it wrong whatever the number of times you set it for. The default is 20 minutes, but that didn’t feel strong enough for my tastes. I have mine set at 4,500 minutes, which is 75 hours or just over 3 days. I figured that was enough to frustrate the normal hacker who’s not all that bright.
The third is how many times you want to allow someone to try to get it and locked out again. The default is 4 more times and an increase to 24 hours. Since I’d already decided on 75 hours up front, 24 hours would have made it easier for the hackers. Once again I thought that was too generous, so I changed mine to 2 more times and 300 hours, which is 12 1/2 days. At this level the hackers have had just over a month to try to break into my blog; that’s not a bad deterrent I’d say.
This last one is the biggie though. It’s nice of the folk who created it to still give you a chance to have it automatically reset after a certain period of time. Their default was 12 hours; once again that seemed deficient from where I stand. I decided to up the ante and go with 900 hours, which ends up being 37 1/2 days before a reset.
The next two things are the default settings, and I’ve left them alone because, truthfully, I’m not sure what they really mean. Even on their page they don’t really tell you what it means, but they recommend we stick to the default.
The last two are kind of a crapshoot, depending on what kind of information you want to see.
I told mine to log all the IP addresses, and it’s been listing them since I initially added the plugin in 2009. They’re all listed just under the Change Options button, almost 15,000 of them. lol Actually, that’s not quite true, because many of the IP addresses tried multiple times to get in. You get to see all that information, which can be intriguing, but for most of you it’s probably unnecessary.
I also told mine to stop sending me email, which is the default setting. I initially wanted to get email alerts when I first installed it, but after a couple of weeks my stress level was rising and I decided I didn’t want to know. lol After this one, you hit that Change Options button to save your settings and you’re good to go!
I feel that I have an extra layer of protection, and that helps me sleep better. You’ll still want to add a backup plugin just in case someone figures out how to get into your blog and you need to restore it, as well as a firewall plugin just in case something’s already on your blog and you want to block the weasels who got it on there from activating it. This one is definitely a must to have if you ask me… so go add it immediately! 😀