Security WordPress

Limit Access Attempts from a Particular IP Address in WordPress

Login LockDown allows you to limit total number of access attempts to your blog’s dashboard from a particular IP address or an IP range. The plugin is capable of recording all the IP addresses, which are constantly trying to get into your dashboard, but all their login attempts are continuously failing. It can also record the time stamp for each failed login attempt.

The plugin can be considered very useful when someone is trying to determine the password of a particular user account in your installation using brute force/dictionary attack techniques or when someone is trying to take down your whole account/server using DDoS (Distributed Denial of Service) attack on your site’s /wp-admin/ or /wp-login.php pages.

Once you have successfully installed the plugin in your installation, go to Settings >> Login Lockdown and you will be able to set following options for it:

  • Maximum value for Login Retries: Whatever number you enter in this field will become the maximum value for login retries for a particular IP address or range. When an IP address exceeds this value, the plugin will automatically lock down further login attempts from that particular IP address.
  • Retry Time Period Restriction (in minutes): Whatever number you enter in this field will become the amount of time that determines the rate at which failed login attempts are allowed before a lockdown occurs for an IP address.
  • Lockout length (in minutes): Whatever number you enter in this field will determine the maximum duration of an IP block for a particular IP address or a range once lockdown has been triggered. If your blog/server is currently under attack, then it is highly recommended that you should enter a higher value in this field.
  • Lockout Invalid User Names: If someone/some bot is continuously trying to log into your installation by using a username that don’t exist at all, then the plugin will ignore all login attempts from that particular IP address or range and lock down won’t be triggered. This is the default behavior of the plugin, but if you want to override this function, then you are required to select YES for this option and click on save changes button. Keep in mind that if by mistake you misspell your own username, then the plugin may lock you out from your own blog!
  • Mask Login Errors: Whenever someone tries to login to your dashboard and their attempt fails, then the CMS will show them a message which says why their last attempt failed? This option allows you to hide such messages/reasons about failed login attempts.

Once everything is set click on Update settings button and the plugin will silently work in the background. When an IP address reaches the maximum value for login retries, then a lockdown will be triggered and that particular IP address will see following error on the login page:

login error

We are sorry, but this IP range has been blocked due to too many recent failed login attempts. Please try again later.

locked out ip addresses

You will also be able to see a list of all locked out IP addresses at the bottom of the plugin’s settings page, along with the amount of time left to remove the IP block. If you’d like to manually remove an IP address from the list, then check the box in front of that IP address and click on Release Selected button.

Important Note: This plugin may conflict with other security plugins which are also capable of blocking an IP address of a rogue computer/network or a web bot. You should be extra careful if you are going to install a plugin with similar functionality. Also, if a trusted third party service tries to login to your installation using wrong credentials, then this plugin may block its server’s IP address too.