Get a Quote
Menu Close
Home / Blog / WP SECURITY

How to Handle and Record WordPress Failed Login Attempts

| updated:
Article author
Nikita Spivak
CEO at IT Monks Agency
Our related services

Your team spent months creating an outstanding website for your project. Getting it hacked is the last thing that you want to face. With a growing number of security breaches taking place worldwide today, a significant part of security attacks is aimed at WordPressWordPressOpen-source content management system (CMS) that allows users to create and manage websites and blogs.
More About WordPress websites. Attackers may target different areas of your site. However, one of the most common ways to access sensitive data of your site and details about your clients is the login page. WordPress failed login attempts are the most significant alert pointing out that something goes wrong.

Some website owners don’t pay much attention to WordPress failed login notifications. Some think they have enough technical and coding skills that they can fix everything. However, it’s vital to apply the maximum effort to keep your site secure and protect sensitive data from attacks. How can you do it? Let’s explore how you can enhance your site’s security system and minimize the risk of being hacked due to multiple WordPress failed login attempts. 

What is a WordPress Failed Login Attempt?

WordPress failed login attempt is displayed when a person tries to log in to the admin area too many times but enters the wrong login or password details. Even when a person enters the right login details after several wrong attempts, WordPress won’t let you in after a certain time. It’s the default security feature that is integrated into WordPress to keep websites more protected against hacking and data breaches. 

A single failed login attempt won’t affect your site. However, when hackers start entering one wrong login and password after another, they consume excessive amounts of bandwidthBandwidthThe maximum amount of data that can be transmitted over an internet connection in a given amount of time.
More About Bandwidth that can bring your site down. Hackers do not attack websites manually. They use bots that are attacking websites at random while attempting to hack websites with weak login credentials. 

A website owner may not notice the WordPress failed login attempt right away. As a rule, they get very surprised on seeing WordPress failed login attempts logsLogsRecorded events and actions that occur within a website or application.
More About Logs on your site. To protect your site against security breaches and the risk of targeted attacks, let’s see what steps website owners can take to secure themselves online.

How to Handle Multiple Failed Login Attempts

Making your WordPress site safer and better protected against any sort of malware is easier than you think. You may not have any advanced technical or coding skills to implement WordPress security practices and tools on your site. Let’s take a closer look at the time-tested and easy-to-learn WordPress security hacks. 

Set the Limit of Login Attempts

It seems to be a logical step, but many website owners forget to implement it on their websites. By default, WordPress allows an unlimited number of login attempts. You can change that by setting the limit. It’s up to you to decide how many attempts a user can make to access the admin panel of your site. For example, you can allow three attempts maximum until WordPress blocks the possibility of many more login attempts to your site.  

To set the limit of WordPress login attempts, you can follow any of the two following scenarios: 

  • Using a pluginPluginA piece of software that can be easily installed and activated on a CMS platform to enhance its capabilities.
    More About Plugin    . Limit Login Attempts Reloaded is a free WordPress plugin that helps you prevent brute-force attacks and optimize the number of login attempts through the regular WordPress login page, XMLRPC, WoocommerceWooCommerceA free, open-source e-commerce plugin for WordPress.
    More About WooCommerce    , and custom login pages. The plugin modifies your WordPress site to block either a specific username or the IP addressIP AddressInternet Protocol address is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.
    More About IP Address     from making further login attempts to your site once the limit was reached.
  • Using a WordPress host. You can limit the number of login attempts with your hostingHostingThe process of storing and serving website files on a remote server, making them accessible to visitors around the world.
    More About Hosting     provider. WP Engine replaced the Limit Login Attempts plugin with their proprietary security feature more than 6 years ago. 

Use Secure Login Credentials

Start with taking some fundamental security steps. The most common mistake that many users make is using such basic usernames as admin or test. It puts your site at risk of brute force attacks. While using a custom login name and a password that incorporates both uppercase and lowercase letters, special characters, and numbers you can make it more difficult for hackers to guess the right login details.  

Besides, you may consider blocking IDs of users who made several attempts to log in to your website but failed. It lets you significantly decrease the chances of your site being hacked after bots keep on attacking your site and doing the guesswork with the passwords. 

Enable Two-Factor Authentication

The two-factor authentication is one of the best ways to ensure that your website won’t be reached by unexpected guests. By doing so, you can add an extra security layer to your site’s login page. The two-factor authentication is already used by email software, social media platforms, eCommerce platforms, and other web-based projects. It sends a unique code to the user’s phone or email address.

We have already spoken about two-factor authentication in one of the previously published blog posts. Check it out to learn how to enable the function on your site and what plugins will come in handy to you for this purpose. 

Use the Latest WordPress Version

According to the statistics shared by WordPress, less than half of all WordPress sites that are available on the web today use the latest version of the CMSCMSA content management system is software aiding users to create, manage, and modify website content.
More About CMS. The older WordPress version your site uses, the higher is the risk that your site will become an easy target for unauthorized users. 

WordPress is the leading CMS with frequent software updates, which aim to make your website a safer place. While using the latest WordPress version on your site, you can improve its performancePerformanceRefers to how fast a website or web application loads and responds to user interactions.
More About Performance, focus on its privacy and security, and your site’s usabilityUsabilityThe measure of a product’s effectiveness, efficiency, and satisfaction for its intended users.
More About Usability. WordPress updates are frequently released to target the latest security threats, so using the latest version of the CMS on your site is one of the main practices that will help you resist hacking attacks. 

Use a Secure WordPress Hosting

The security of your web hosting provider plays a significant role in taking care of your WordPress site’s protection. Taking care of the security of your website, it’s also important to take care of the security of your hosting provider. 

Have you considered the safety of your web host when you were choosing one for your site? If not, check it out right away. If you do not feel certain that the host guarantees the proper security level for your site, then migrating to a safer one is a necessity. Opting for a reliable WordPress hosting provider with robust 24/7 support lets you protect your personal information and avoid any sort of security issues that you may face. Different hosting providers offer different online security options. Keep it in mind while choosing a WordPress host.  

Use VPN to Access WordPress Admin Area 

A virtual private network is one of the first-line defenses when it comes to protecting yourself and your online resource against security breaches. Using a VPNVPNVirtual Private Network allows you to establish a secure and encrypted connection between your device and the internet.
More About VPN you can safeguard your login credentials before you go online in a public place. It lets you operate in the encrypted channel between the user and the internet. Thus, VPN hides your loin details from hackers and spies and lets you safely work on your site. 

Other Security Considerations

Besides using secure hosting and applying security hacks to your website, WordPress failed login attempts are not the only issue that you should care about. The systems that keep your site up and running should be well-protected as well. It includes using cybersecurityCybersecurityIt involves defending computers, servers, mobile devices, electronic systems, networks, and data from digital attacks.
More About Cybersecurity software development kits and APIs that track your site’s performance and record security bugs and other issues that can harm your site’s performance. 

It’s also vital to access your site’s admin area via a safe Internet connection. It means that using free public WiFi hotspots in cafes, librariesLibrariesCollections of pre-written code and functionalities that developers can leverage to streamline their development process.
More About Libraries, and other public places is unacceptable. 

How to Record Failed Login Attempts History 

Besides following the steps described above, keeping a record of failed WordPress security attempts is one of the best ways to protect your site’s admin area against hacking attacks. There are many WordPress plugins that you can use for this purpose. Still, the WP Activity Log plugin is the indisputable leader, with more than 100,000 active installations. Let’s see how you can keep a log of failed WordPress logins using the WP Activity Log plugin. 

Once you install and activate the plugin on your site, you will be able to keep track of ​​everything that happens on your web resource, especially if you are running a multi-user site. 

The plugin keeps track of such events as: 

  • Post, Page and Custom Post Type changes;
  • Tags and Categories changes;
  • Widgets and Menus changes;
  • User changes (when a new user was created or registered, deleted or added to a site on multisite network);
  • User profile changes;
  • User activity (login, logout, failed logins and terminating other sessions);
  • WordPress core and settings changes;
  • WordPress multisite network changes;
  • Plugins and Themes changes;
  • WordPress databaseDatabaseAn organized collection of data, typically stored electronically.
    More About Database     changes;
  • Changes on WooCommerce Stores & products, YoastYoastA plugins designed to assist in optimizing websites for search engines and improving their on-page SEO practices.
    More About Yoast     SEOSEOSearch Engine Optimization involves optimizing various website elements to make it more attractive to search engines like Google, Bing, and Yahoo.
    More About SEO    , WPForms, Gravity Forms, Advanced Custom Fields (ACFACFAdvanced Custom Fields is a WordPress plugin designed to simplify adding and managing custom fields within WordPress.
    More About ACF    ), MainWP and other popular WordPress plugins.

The plugin keeps a record of such events as:

  • The date and time of when the last failed login happened;
  • The source IP address of the computer/device from where the failed login happened;
  • The number of failed logins;
  • The WordPress user in case of alert 1002, as seen in the below screenshot.

Failed login attempts are the common thing for every web resource that you can find on the web. Some users may mistype their login or password details. Some other may simply forget their login credentials. In the worst scenario, a failed login attempt may be caused by a hacker trying to guess the login details on your site. 

It’s a pretty normal activity that you shouldn’t feel too much worried about. There is no reason to spend days and nights watching after the user activity log and failed login attempts on your site, However, it’s important to receive alerts when non-existing users are trying to reach your site’s admin area. For this purpose, the WP Activity Log differentiates two different alerts:

  • Alert 1002: WordPress user failed login
  • Alert 1003: failed login for non-existing username (meaning that someone was trying to log in to your site under the username that doesn’t even exist). 

While having two different failed login event IDs, you can easily find the needed WordPress failed activity log to block IP addresses or pay more attention to users’ behavior. Additionally, you can set up email notifications to receive alerts when fraudulent activities are taking place on your site.

The WP Activity Log plugin can be configured according to your specific needs. By default, it records up to ten failed login attempts for every IP address. The same rule is applied to failed login attempts made by the existing users and those that are not available in your database. The limit is set to ten records to avoid hogging web serverWeb ServerHosts and delivers web pages.
More About Web Server resources in case of brute force attacks. It’s expected this would be enough to alert the website administrator about fraudulent login behavior on the site. 

However, you can set another limit if you wish to. If you want to keep track of more or fewer failed login attempts, apply the following configurations in the plugin settings: 

  • Login to your WordPress dashboard;
  • In the WP Activity Log plugin’ menu, find the Enable/Disable Events node;
  • Locate the Alert ID 1002 and Alert ID 1003 and enter “0” for both IDs if you want to record unlimited failed login attempts. 
  • When there is a failed login attempt for a non-existing username, the system records the IP address, date, time, and the number of failed login attempts that a user has made. 

By default, the plugin keeps a log of all failed login attempts to your site. The logs will be kept in your database and you can download the list anytime you wish. To download the file, navigate to the messages section and locate the “Download the log file” from there. Don’t hesitate to block users or IP addresses when you notice something strange. 

Bottom Line

WordPress is a popular content management system that lets even non-techies launch their web resources without worrying too much about the coding tasks. However, the impressive demand in using WordPress for small to large-sized online resources makes it a more appealing target for hackers. To avoid the risk of being hacked, it’s vital to take the needed security measures to keep track of different activities taking place on your site. WordPress failed login attempt is one of them. 

While keeping a record of failed login attempts logs, a website administrator is warned about the fraudulent attacks on the site. It may also mean that one of the users (if we are talking about a multi-user website) has forgotten his or her login details and needs your help. Whatever is the case, pay attention to implement the aforementioned WordPress security tips and rest assured that your website is properly protected.

Let’s discuss your project
Get quote
More Articles by Topic
View all
How to Restore WordPress From Backup
restore wordpress from backup
​​If you are running a website, you should have a “plan B” for any unforeseen situation. Like keeping a fresh…
How to Back up WordPress Files – 3 Methods Explained
How to Backup WordPress Files
WordPress backup is made up of two parts: database and file backups. It’s recommended to create a full website backup…
WordPress Database Backup Guide
WordPress Database Backup
Running a website can be tricky. Have you ever made changes you wish you hadn’t? Or did you install an…

Contact

Feel free to reach out! We are excited to begin our collaboration!
Alex Osmichenko
Alex
Business Consultant
info@itmonks.com
Reviewed on Clutch

Send a Project Brief

Fill out and send a form. Our Advisor Team will contact you promptly!

    Note: We will not spam you and your contact information will not be shared.