Protect WordPress with Limit Login Attempts Code Snippet

How to limit login attempts in wordpress; Wordpress brute force protection plugin; Best plugin to limit login attempts wordpress; Prevent brute force attacks wordpress; Wordpress limit login attempts reloaded; Secure wordpress login page; Wordpress login security plugin; Limit login attempts wordpress tutorial; Stop brute force attacks on wordpress; Wordpress plugin to block login attempts;

Explanation

This code helps protect your WordPress site from brute force attacks by limiting the number of login attempts a user can make. Here's how it works:

  • Session Start: It begins by starting a session if one hasn't already been started. This is necessary to keep track of login attempts.
  • Max Attempts: You can set a maximum number of login attempts (in this case, 5). If a user exceeds this number, they will be temporarily locked out.
  • Lockout Duration: The lockout period is set to 15 minutes. During this time, the user cannot attempt to log in again.
  • Login Check: Each time a login is attempted, the code checks if the username and password are correct. If not, it increments the attempt count.
  • Successful Login: If the login is successful, the attempt count is reset to zero.
  • Lockout Check: If the user is locked out, they will see a message telling them how long they need to wait before trying again.
  • Session Reset on Logout: When a user logs out, their session data related to login attempts is cleared, allowing them to start fresh next time.

This approach helps to secure your login page by preventing repeated login attempts, which are a common method used in brute force attacks.

Code

<?php

// Add action to initialize the login attempt limiter
add_action('init', 'wp_dudecom_limit_login_attempts');

function wp_dudecom_limit_login_attempts() {
    if (!session_id()) {
        session_start();
    }

    // Set the maximum number of login attempts
    $max_attempts = 5;
    // Set the lockout duration in seconds (e.g., 15 minutes)
    $lockout_duration = 15 * 60;

    // Check if the user is trying to log in
    if (isset($_POST['wp-submit'])) {
        $username = isset($_POST['log']) ? sanitize_user($_POST['log']) : '';
        $password = isset($_POST['pwd']) ? $_POST['pwd'] : '';

        // Check if the login attempt is valid
        if (!empty($username) && !empty($password)) {
            $user = wp_authenticate($username, $password);

            if (is_wp_error($user)) {
                // Increment the login attempt count
                if (!isset($_SESSION['login_attempts'])) {
                    $_SESSION['login_attempts'] = 0;
                }
                $_SESSION['login_attempts']++;

                // Check if the maximum number of attempts has been reached
                if ($_SESSION['login_attempts'] >= $max_attempts) {
                    $_SESSION['lockout_time'] = time();
                }
            } else {
                // Reset the login attempt count on successful login
                $_SESSION['login_attempts'] = 0;
            }
        }
    }

    // Check if the user is locked out
    if (isset($_SESSION['lockout_time'])) {
        $time_since_lockout = time() - $_SESSION['lockout_time'];

        if ($time_since_lockout < $lockout_duration) {
            wp_die('Too many login attempts. Please try again in ' . ($lockout_duration - $time_since_lockout) . ' seconds.');
        } else {
            // Reset lockout after the duration has passed
            unset($_SESSION['lockout_time']);
            $_SESSION['login_attempts'] = 0;
        }
    }
}

// Add action to clear session on logout
add_action('wp_logout', 'wp_dudecom_clear_login_attempts');

function wp_dudecom_clear_login_attempts() {
    if (!session_id()) {
        session_start();
    }
    unset($_SESSION['login_attempts']);
    unset($_SESSION['lockout_time']);
}

?>

Instructions

To implement the code for limiting login attempts and protecting your WordPress site from brute force attacks, follow these steps:

File Location: Add the code to your theme's functions.php file or create a custom plugin file.

Prerequisites: No additional plugins or settings are required.

Implementation Steps:

  1. Access Your WordPress Files: Use an FTP client or your hosting provider's file manager to access your WordPress installation files.
  2. Locate the File: Navigate to wp-content/themes/your-theme-name/ and open the functions.php file. Alternatively, create a new PHP file in wp-content/plugins/ if you prefer to use a custom plugin.
  3. Add the Code: Copy the provided code and paste it at the end of the functions.php file or your custom plugin file.
  4. Save Changes: Save the changes to the file and ensure there are no syntax errors.
  5. Test the Implementation: Log out of your WordPress site and attempt to log in multiple times with incorrect credentials to test the lockout functionality.
  6. Verify Lockout Message: After exceeding the maximum number of attempts, ensure that the lockout message appears, indicating the remaining lockout duration.
  7. Check Successful Login: Log in with correct credentials to verify that the login attempt count resets.

This implementation will help secure your WordPress login page by limiting the number of login attempts and providing a lockout period for repeated failures.

If you need assistance with this implementation or require more advanced functionality, consider reaching out to the experts at wp-dude.com.