≡ Top Menu ≡Category Menu
You are here: Home » Another Favorite Plugin – Limit Login Attempts

Another Favorite Plugin – Limit Login Attempts

Deter HackersI can’t believe this wasn’t on my list of favorite WordPress plugins (I’ve since modified the list to include it).

I first installed the Limit Login Attempts plugin some time ago but after forgetting my password a couple of times I disabled it. You see, with so many blogs I don’t always update all of the passwords at the same time. So, by inserting an incorrect password one too many times, I would end up locking myself out of my own blog. Not fun!

Change of Heart

I recently decided to reinstall the Limit Login Attempts plugin. After looking at my traffic logs. I found quite a few IP addresses accessing my WordPress Login screen. It doesn’t take a rocket scientist to figure out why someone besides me is spending time on my Login screen.

By installing the Limit Login Attempts plugin, I’m able to add a layer of protection between would-be hackers and my blogs. The plugin allows me to set the number of login tries before being locked out. I can also configure it to notify me after a pre-set number of lockouts. Some blogs I set the number to 1 and other blogs to 2.

Several Tier Lockout

After a lockout, the hacker, er I have 60 minutes or so before I can try again. I’ve actually increased the lockout time to about 6 hours. After that, if anyone gets locked out again, the lockout time is increased to several days. In the meanwhile the plugin logs the IP address and the username used when attempting to login.Limit Login Attempts

Oh, and to get around being locked out because I forgot the password, I created a second login username and password that is impossible for me to forget. Therefore, if I happen to lock myself out using username #1, I can always use username #2 to gain administrative access and reset the lockout.

Security Layer Number 2

Because my blogs are hosted on HostGator, HostGator provides a feature in their control panel called IP Deny Manager. By adding the questionable IPs to IP Deny’s list, those IPs are denied access to all of my HostGator sites. So, at the end of the day when I receive all of my “too many login attempts” notifications, I gather the IP addresses, log into my HostGator account and add the IPs to the list so those particular hackers won’t be able to access my sites again.IP Deny Manager

This is not foolproof because if someone truly wants to hack in, they will, but I can’t just sit idly by and watch them gain access to my sites.

A Little Advice

After installing a new blog, always change the username from the default “admin” to something a little less predictable. Each hacking attempt tried using “admin, Admin or webmaster” as the user name.

Maintaining a blog is sort of like gardening. No matter how much you care for your garden, weeds are always ready to take over. You have to weed out the online hackers just as you have to pull weeds from your garden.

{ 10 comments… add one }
  • Crystal March 2, 2012, 11:14 am

    Once again, Felicia, I find out how little I know. Have you thought of writing an ebook (not a freebie, of course) detailing your blog management techniques? With your clear writing and methodical approach, it would be invaluable to folks like me! Maybe you could just recycle previous posts for most of the content? I know there’s a wealth of info here on NJFM, but for those of us who don’t even know what we need to know, it would be so cool to have it all in one place. What do you think?

    • Felicia March 2, 2012, 11:19 am

      Crystal, I’ve been thinking of that. I’ve been brainstorming how to share the NJFM info in an organized fashion.

      Actually I have a few more free books that I’m considering.

      • Crystal March 2, 2012, 11:54 am

        Well, free is good, too! But seriously, even if the info is here for the taking, having it organized in an easy-to-read format is worth buying. Either way, I’ll be first in line.:)

  • Samantha March 2, 2012, 6:28 pm

    Great tips! I get so focused on writing that I never think about these more practical necessities. Thank you!

    • Felicia March 3, 2012, 6:44 am

      Samantha, I’m like you. My recent break from writing gave me time to explore a whole lot of other things. One of the things I found out was that folks are spending an awful lot of time trying to hack into WordPress sites.

      I’ve since made modifications to my Limit Login settings. Instead of getting notified of every lockout (there are just too many to manage), I’ve decided to hold off on notification until the second lockout. Additionally, instead of logging into my HostGator cpanel to use IP Deny, I insert the IP into another favorite plugin, WP Ban. This way I can ban them within the WordPress interface.

      Also I increased lockout times all around so the offender doesn’t come back so quickly.

  • L.M. March 3, 2012, 1:25 am

    I’ve locked myself out as well because I have a really strict setting. After the 2nd failed attempt, it is like a month before they can retry….LOL

    I also immediately put the IP Deny Manger in Cpanel.

    If I accidentally lock myself out. I simply log into Hostgator and go to the files section (I can’t remember the exact path)and delete the entire plugin from the plugins file for the particular site that I’m locked out of. Takes only a minute to do that.

    This allows me to immediately log in to my Wordpress Admin. The plugin has been removed, therefore I’m no longer locked out. I then go and install the plugin the same as I would any plugin. Again, takes only a minute and I’m back in business.

    • Felicia March 3, 2012, 6:50 am

      L.M., like you, I’ve changed my settings so the offenders don’t come back so quickly.

      Uninstalling and re-installing the plugin works too, however, I’ve gotten real lazy. I try to minimize my clicking by setting up a “no-brainer” default user/password. It’s one that’s very difficult for anyone to guess but beyond easy for me to remember.

      So, when I set up a new WordPress installation, I end up deleting the default “admin” account and creating two more. One that I use all the time for posting (provided I don’t lock myself out by forgetting the password), and the other is only used just in case I lock myself out.

  • Laura March 6, 2012, 12:13 pm

    That is great review and tip on using the plug-in. It always pays to be prepared. It is scary how many hackers who are searching for unprotected sites.

    • Felicia March 6, 2012, 2:13 pm

      I’ve also found that by installing WordPress in a directory other than the default, it seems to slow hackers down.

      I have a couple of blogs where I installed WP in a different directory and those are the only blogs without unauthorized login attempts.

  • Opal @ Celebrate Life April 1, 2012, 8:39 am

    That’s a good plug in, I use it with my sites. I have too many passwords to remember, so I use 1Password, so that takes care of that issue. I’ve been using that application for the past five years or so.

    It does more than store/create passwords for you, but initially it’s the main reason I purchased it. At the time, it was only available to Mac users, since that time they’ve created an application for Windows users.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.