Both the free and premium versions of Wordfence will limit login attempts to help protect your WordPress site. The default options are good for many small websites, but it’s worth reviewing and tweaking them for your own needs.
This article runs through every option and gives tips on the best settings for different scenarios.
Table of Contents
How To Limit Login Attempts With Wordfence
If you’re new to Wordfence, you may be wondering how to find the settings to limit login attempts. They’re under the Brute Force Protection section.
Open the Firewall page, and you’ll see the link to manage the settings under the Brute Force Protection block.
This link opens the Firewall Options page and automatically scrolls down to the Brute Force Protection section.
Basic protection is turned on by default so you are protected right out of the box. The only question is whether you want to change the default settings and/or turn on some extra options.
Wordfence Default Settings For Limiting Login Attempts
The default settings in Wordfence are:
- 20 failed login attempts within 4 hours before locking the IP Address
- 20 forgot password requests within 4 hours before locking
- Block transgressors for four hours
You may be thinking that twenty attempts are a lot! And they only get blocked for a few hours? Why not give them ice cream while they cool their heels in the naughty corner!
Maybe you could get a little more aggressive. But before you rush to do so, read our next section. You may be surprised at how often your content editor mistypes her login!
And there are a couple of options that are disabled by default. I usually enable the option to block specific usernames (e.g. “admin”). I’ll get to this in a later section.
Your type of website will play a big part in how aggressive you should be with these settings. I’ll start with the kind of website that can break out a bigger ban hammer: the one-person websites. And no, I don’t mean sites that get one visitor.
Wordfence Login Settings For One-Person Websites
In this scenario, you are the only person logging into WordPress to maintain the site and add content. That doesn’t mean there is only one registered user. You may use multiple logins for different content.
Some administrators get really aggressive here. They change the defaults to something like this:
Failed logins | 2 attempts |
Forgot Password | 2 attempts |
Lockout Time | 1 month |
Reasons why you may not want to be so aggressive
This is my major warning for you: you will have a major headache if you block yourself by mistake. Particularly if you set the lockout time to one month.
First, I advise that you use a password manager with these kinds of settings. Otherwise, fat fingers are gonna get ya!
Secondly, I definitely wouldn’t get this tough if I couldn’t access my WordPress site via FTP to unblock myself. We will have a separate article on this (coming soon).
Other login settings for solo websites
The aggressive administrators turn on the setting to block the IP of users who sign in as some specific usernames e.g. admin. This is because they remove that login from their sites. So, they’re hardly likely to wake up in sleepy mode and mistakenly try to log in as “admin”.
They also enable the option to block IP addresses that try to log in with a user name that doesn’t exist on your site.
But you should think twice about this if you have more than one website and use different logins on each site (as I recommend you should). If you use a password manager, this isn’t such a worry.
Wordfence Login Settings For Websites With Several Admins, Editors Or Authors
You may have one administrator login, but allow several people to publish content through your WordPress installation.
So, here’s the problem. You may have a perfect record for never mistyping your login or password. Go, you! But you are very rare indeed.
If you get aggressive with the settings, you may be constantly dealing with requests to unblock your team to allow them to do their work.
Your decision will probably depend on the other people using the site. If you’re all tech types who use password management tools religiously, then you can set a high barrier.
But what if you have content writers who aren’t super-technical? Here’s a reasonable set of options:
Failed logins | 5 attempts |
Forgot Password | 2 attempts |
Lockout Time | 24 hours |
Other login settings for websites with a small number of logins
Should you enable the option to block IP addresses if they use an invalid username? (i.e. a login that doesn’t exist on your site).
Well, mistyping is a common mistake. You can ask the other users if they use a password management tool. If they look at you blankly, then I wouldn’t enable this option.
I always like to set a block list of user names. None of my content writers should be trying to log in as “admin” or “test”.
Wordfence Login Settings For Membership Websites
Are you using WordPress to run a membership website? Your users may write their passwords on sticky notes and mistype them a dozen times.
I think the default settings are pretty good for this type of site, although 20 attempts are very liberal. I’m a member of several sites that use something like this
Failed logins | 10 attempts |
Forgot Password | 10 attempts |
Lockout Time | 1 hour |
The “forgot password” setting may still seem high. But the confirmation emails often end up in people’s spam folder. And they assume that there’s some kind of delay and repeatedly click the link. Hopefully, by the time they get to ten attempts, they’ve realized what’s going on.
Why Bother Blocking Invalid Usernames in Wordfence?
You may wonder why you’d enable the “invalid username” option when the standard 20 failed login attempts will block these IP addresses anyway.
The reason to turn on this setting is to protect your website’s performance.
Every login attempt means that your website connects to the WordPress database and runs a query to check that this is a valid user/password combination. A single request is a tiny use of resources. But if your site is regularly attacked by bots, this option is worth turning on.
Think about it like this. If a bot is sending 20 attempts within a minute (the standard blocking setting), this option will reduce the load by 95%.
You may be wondering how you know if your site is getting overly targeted by bots. We have a companion article on using Wordfence to block bots. There is a specific section that shows you how to use the Wordfence Live Traffic View to review traffic.
Blocked Usernames in Wordfence
Wordfence gives you a box where you can enter a list of usernames that lead to an immediate IP block from a login attempt.
If you use it, don’t forget to enable the option too! It’s disabled by default.
When you review your blocked traffic, you’ll see “admin” appear very frequently in the attempts. This is because this login comes with the default installation of WordPress.
It’s good practice to add a different administrator login and remove the standard admin username. And now with Wordfence, you can chuck “admin” into the box and enable the settings.
But it’s not just admin that bots love to use. They also know that many sites may have a “test” username. Other sites carefully remove the “admin” login, and create a new login called “administrator”.
Here is a list of dodgy logins that I use: admin, administrator, root, test, testing, testuser, wplogin, wpwriter
You can compile your own from reviewing the blocked lists. You may see clever bots that grab your domain name and tack “user” or “login” after it. So, you can throw those types of logins into the ban box too.
Alternative Solutions
There are other WordPress plugins that will limit login attempts. Some do only this one thing and are more lightweight than WordFence.
You may start with another plugin that exclusively limits logins, and then later install WordFence. You should remove the alternative tool, as it’s a waste of resources to have two tools that provide the same function.
As your website gets to a high volume of traffic, you should review whether a server-level solution is better for performance. A utility like Fail2Ban would be a common choice for this. The set-up requires a little bit more technical expertise than you need with Wordfence.