This post about the Limit Login Attempts plugin for WordPress blogs was initially written back in 2009. However, at that time I didn’t really talk all that much about how it worked or its settings, nor did I put images on my blog back then.
This is one of those things where, based on a lot of things I’ve been reading, it’s not only good to republish a piece, since most of the content is changing, but upgrading it so that it reflects more of what I want to tell you about since it’s still pertinent to our needs and security.
As stated before, the plugin is called Limit Login Attempts, and its purpose is to dissuade hackers from attempting to use their nefarious software from gaining access to our blog’s username and password. I keep coming across more folks who’ve had their blogs hacked, including some of the more famous names, and there’s usually two ways their sites get hacked. One is that a hacker’s found a backdoor way of getting in, possibly via old themes you’re not using anymore that you didn’t remove from your Appearance tab. The other is them figuring out your username and password by hitting it multiple times with their bots.
Most of us are too lazy to change our username from Admin, or forget to change it to something stronger when we first create blogs; heck, many don’t even know they can do that.. I used to be bad at this, but I’ve taken care of both that and my password with my newer blogs. Still, against automated software, you need something stronger to protect your property. That’s why I love this plugin so much.
Obviously, the first thing you have to do is install it via the install plugins link. It should pop up pretty quickly, and you should feel pretty safe using it since. One thing that violates my norm is that it hasn’t been updated in about 5 years, but it’s been uploaded way over a million times and people are still using it. I read some of the latest reviews and it seems that most people love it, but nothing’s ever 100%. However, people who are having problems with it either tried to modify it or have already been hacked, which is a totally different issue.
As you see in the image above, the first two things you get are options you don’t have to take any interest in. They’re stats that tell you how often idiots have tried to get into your blog, which I’ve never reset, and how many active bots are trying to get in now. I have to admit it’s freaky realizing that 34 of these morons are trying to break into my account right now; it’s not going to happen in their lifetime. 🙂
Before I go any further I need to warn you that whatever settings you set also apply to you. So, you’ll either need to feel confident in knowing and typing correctly your username and password unless you have it set to automatically put it in on your browser, which you probably don’t have set up if you’re doing it away from home. Just so you know, if you lock your silly self out (because you’ll feel pretty silly if it happens), you can always get back in by FTP’ing into your account on the back end, deleting the plugin, and once you get back into your blog adding the plugin and starting again.
You need to decide how many login attempts you’ll allow before it shuts down for a certain number of minutes. It’s defaulted to 4, but I’ve made mine 3 times for this blog since it’s my most popular. I have it on 4 times for my business blog and all my other blogs 5 times because I’ve been known to forget what those passwords are; sigh! lol
The second is how long you want to make people wait before they can try it again if they get it wrong whatever the number of times you set it for. The default is 20 minutes, but that didn’t feel strong enough for my tastes. I have mine set at 4,500 minutes, which is 75 hours or just over 3 days. I figured that was enough to frustrate the normal hacker who’s not all that bright.
The third is how many times you want to allow someone to try to get it and locked out again. The default is 4 more times and an increase to 24 hours. Since I’d already decided on 75 hours up front, 24 hours would have made it easier for the hackers. Once again I thought that was too generous, so I changed mine to 2 more times and 300 hours, which is 12 1/2 days. At this level the hackers have had just over a month to try to break into my blog; that’s not a bad deterrent I’d say.
This last one is the biggie though. It’s nice of the folk who created it to still give you a chance to have it automatically reset after a certain period of time. Their default was 12 hours; once again that seemed deficient from where I stand. I decided to up the ante and go with 900 hours, which ends up being 37 1/2 days before a reset.
The next two things are the default settings, and I’ve left them alone because, truthfully, I’m not sure what they really mean. Even on their page they don’t really tell you what it means, but they recommend we stick to the default.
The last two are kind of a crapshoot, depending on what kind of information you want to see.
I told mine to log all the IP addresses, and it’s been listing them since I initially added the plugin in 2009. They’re all listed just under the Change Options button, almost 15,000 of them. lol Actually, that’s not quite true, because many of the IP addresses tried multiple times to get in. You get to see all that information, which can be intriguing, but for most of you it’s probably unnecessary.
I also told mine to stop sending me email, which is the default setting. I initially wanted to get email alerts when I first installed it, but after a couple of weeks my stress level was rising and I decided I didn’t want to know. lol After this one, you hit that Change Options button to save your settings and you’re good to go!
I feel that I have an extra layer of protection, and that helps me sleep better. You’ll still want to add a backup plugin just in case someone figures out how to get into your blog and you need to restore it, as well as a firewall plugin just in case something’s already on your blog and you want to block the weasels who got it on there from activating it. This one is definitely a must to have if you ask me… so go add it immediately! 😀
Limiting login attempts is a great idea. Most forums and many websites already have this feature installed for the protection of the users, but it’s something we don’t often think about when it comes to our own blogs. I think this will definitely help reduce the chances of an intrusion.
.-= Mike´s last blog ..Atlanta Movers =-.
I hope so, Mike. In any case, I feel a little safer, I must admit.
Sadly, I’d probably mess up my own security on the limited number of login attempts, because I have been managing multiple sites with different password variations, and I confuse myself sometimes. Otherwise, not a bad idea at all.
~ Kristi
.-= Kikolani´s last blog ..Ultimate Freelance Resources – 100+ Links to Freelance Jobs, Blogs, Podcasts, Guides & More =-.
You’re killing me, Kristi! Actually, using Firefox, it remembers all my passwords, so I don’t worry about it.
Mitch thank you for introducing us to Udegbunam Chukwudi’s blog and Limit Login Attempts. Sounds like a great plugin.
.-= Rose´s last blog ..10 Christmas themes for Blogger =-.
It is, and I’m glad you like his blog. I think it’s pretty neat.
My username isn’t Admin, but I probably should look at this plug-in. Not that I have that many loyal readers to cause a stir, yet, those email viruses and other hacks don’t always make sense on who they attack either. Besides, I have a password program so I don’t have to worry about being locked out. 🙂
.-= Anne´s last blog ..New Theme & Image Issues Abound =-.
You know Anne, I was just lazy and left it like that when the program was set up. All my passwords are different, but otherwise, I just left it alone, and I know I’m not the only one.
I think mine asked me for a username or else I’m sure I would have left it as Admin. I don’t think it’s lazy, just convenient. 😉
.-= Anne´s last blog ..Let it Snow, Let it Snow, Let it Snow ~ Please =-.
Mitch, thank you for posting the link to that blog post. I’m in the process of installing some of these plugins now.
.-= DeAnna Troupe´s last blog ..Listen To Denise J Hart (motivationmama) Interview Me About Being A Creative Entrepreneur =-.
No problem, DeAnna; I hope it works well for you.
Thanks Mitch – As ever a source of useful information – this one didnt even cross my mind – there are some sad people around!
.-= Peter Davies´s last blog ..Does anyone have any knowledge regarding worldprofit.com? =-.
For sure Peter, and it was a fluke I came across it.
Mitch,
This is a good one man! I’ve often feared having someone try to hack my wordpress based blogs due to lack of security. Not that my blogs are worth hacking, but you never know who you may have ticked off online.
Happy holidays!!!
-TAM
.-= The Almost Millionaire´s last blog ..Email links – the devil is in the detail! =-.
No problem, and where the heck have you been anyway? I noticed you hadn’t been writing much on your blog.
While plugins like Limit Login Attempts help secure your WordPress blog, you still have to look into stuff like a) changing passwords regularly, b) removing the admin username, and c) regularly updating your WordPress software and related plugins. Security is a process, not a result.
.-= DailyManila´s last blog ..There’s no such thing as a hack-proof WordPress blog =-.
There is always that, DM, and I’ve thought about it, but just haven’t done it. I figure I’m going to have to address that one of these days, for sure.
Hi Mitch. Thanks for the comment on my blog. As always, I make it a point to stress how important security is. Don’t wait for something to happen, do it now 🙂 Good luck!
.-= DailyManila´s last blog ..There’s no such thing as a hack-proof WordPress blog =-.
You folks and your passwords are killing me, Dennis! lol I have a file on my computer and backed up on my external drive that has every username and password I have for every site. Never a problem for me.
Nothing fancy, Dennis, just a regular Word file with a nondescript name that only I know.
Mitch, there were 6 plug-ins not 10 ;). I strongly suggest you reset the email alert to one cos you never can tell, it could take the fourth attempt to get access into your blog.
Thanks for the mention.;-)
.-= Udegbunam Chukwudi´s last blog ..Nigerians Get Payoneer Prepaid MasterCard Free! =-.
I hadn’t thought much about it, Udegbunam, but for most people, setting it at 1 will lock them out without knowing another way to get it. Maybe 3; even the banks and credit card sites set it at 3.
And I’m glad to give you the shout out.
Yeah Mitch, why wouldn’t you want to know after the first failed attempt. It’s not like you’re going to forget your own password now is it? If not one, at least 2, in case you miss key the password.
.-= Sire´s last blog ..Of Gary Vaynerchuk And His Belief That You Can Cash In On Your Passion =-.
Actually Sire, I don’t want to take the chance that I might mistype something if I’m not on my own computer at home. With Firefox, I’m covered, but elsewhere, it could be critical for me to get in, and I don’t want to have to wait 30 minutes just to get into my own site.
Hi Mitch,
Thanks for making me cringe thinking about my blog hack.Although it didn’t quite qualify as a real hack, the fear is always there as I’ve been also hacked on my email account right before my very eyes. There are just too many people out there who choose to use their good skills for the wrong purpose. There is never enough protection for anything nowadays. But your plugin sounds good to take a look.
-Peter
.-= Internet Home Business´s last blog ..My Google Adsense Crossed $100/mth: 7 Things I learned =-.
Didn’t want to make you cringe, Peter, but it just stuck in my mind when it happened to you and Yan, and when I learned about this plugin I just needed to tell everyone about it. Speaking of things, have you ever upgraded your WordPress? I see above in my Admin that they’re just releasing 2.9.
No Mitch, since that last failed upgrade attempt I have never tried to do any more upgrades. I’m happy with my old version and just don’t want to take any risk doing so. I can live without the new features, if any. Like they say “if it ain’t broken don’t fix it”.
.-= Internet Home Business´s last blog ..Challenges Of Starting A Blog =-.
Then you definitely need to use that plugin, and you should check out the others that were in this post, though with you using the older version they might not all work for you. The reason I upgraded to 2.8.4 to begin with was suddenly there was a rash of blogs being hacked, and some of them were major players who decided not to upgrade. I’m just not taking that kind of risk.
never tried it before, but i think it’s such a good plugin.
by the way, i suggest you to also limit the ip where people can login to your account.
Affan, I don’t know enough to know how to do that; I would if I knew how. As to the other, in the last 2 days I’ve been notified of 5 attempts to break into this blog, and the plugin has stopped each one of them. I now trust this plugin immensely!
I just came over from wassup blog, where he was making reference to your site.
This plugin is quite essential that every blogger should have it or some other form of protection
Definitely Mex. In the last week I’ve had attacks on both fronts, some trying to get in through my password, and some trying to get in other ways that Sire was talking about. Too bad these people don’t just find legitimate work.
I left a comment on the ComLuv network back in 2013, when Andy was discussing blog security:
“I use Limit Login Attempts and max out the lockout period, effectively banning the IP without having to do anything else:
————————-
1 allowed retries
30 minutes lockout
1 lockouts increase lockout time to 9999 hours
9999 hours until retries are reset
———————
9,999 hours = 416 DAYS! A virtual ban, even if lockout time runs concurrently number of hours until retries are reset (I was never sure about the difference between the two. I think it matters more when you allow multiple retries.)
Also, I would like to suggest to all your readers that, in addition to changing admin, you should NOT use your posting name as your UserName. Since WordPress does not allow you to change your UserName, this tip is more useful for new blogs: make UserName as difficult as possible and use RoboForm or LastPass to remember your login credentials. Your posting name is the Display Name, which is on your profile.”
I still use it and, I agree, it’s great at blocking brute-force attempts.
Cheers,
Mitch
That’s great stuff Mitch! I thought about going for the absolute but wondered if the plugin would handle it based on defaults and such. I think most people should give at least 2 attempts in case they know how to get into their own sites but might make a typo.
No one told me about the name thing, but in 2011 I finally realized I needed to change to my name instead of calling myself Admin. I didn’t even know I could do it until that point but I’m glad I finally changed it up. That’s another great tip for everyone to follow; thanks again!
You’re welcome. Yeah, I stumbled onto the name thing late in the game, when another security plugin suggested it. From then on, all my WordPress installations have “security by obscurity” enhancements. LOL — Purist pooh-pooh such things, but, in conjunction with other best practices, security by obscurity is not a bad thing.
Cheers,
Mitch
Whereas I want people to know my name, even if I never end up doing anything because of it 🙂
I thought I had this plugin on Wassup but I don’t. I do have it on some of the other blogs and I remember installing it on them on the recommendation of the tech guys when my usage went up due to too many login attempts.
May have to install it on Wassup and my Sports Betting site as well.
I’m surprised you didn’t have it also, especially since you’d commented on the article when I originally posted it. At least you know about it & know how well it works. 🙂
Hi Mitch,
I’ve used this plugin in the past and I loved how easy to set up. I never thought about putting 4500 on the minutes they had to wait to log back in.
Most people don’t think about these kind of website issues, until it’s too late. Thanks for taking the time to write it and show us how you set yours up.
Have a great one.
– Susan Velez
Thanks for reading & comment Susan! I know what you mean by people waiting. I did all this stuff early into my blogging but I still missed the thing about removing themes I wasn’t going to use. That’s how I got exploited back in ’14. It’s hard thinking like bad guys isn’t it?
My username isn’t Admin, but I probably should look at this plug-in. Not that I have that many loyal readers to cause a stir, yet, those email viruses and other hacks don’t always make sense on who they attack either. Besides, I have a password program so I don’t have to worry about being locked out.
You’re right, hackers aren’t always attacking specific people so it’s best to be as safe as one possibly can be.