How can we help?

Search for answers or browse our knowledge base.

Table of Contents

What is the Failed Logins Policy, and how does it work in WordPress?

Updated

When enabled, Melapress Login Security’s Failed Logins Policy will limit login attempts. Should a user reach the configured number of failed login attempts within a period of time, their account will be locked.

Once a user is locked out, any further attempts to log in will be met with a warning until either the user is manually unlocked by an administrator, or if desired, the user can begin to re-attempt logging in after a configurable amount of time has passed.

Why is this policy required?

Allowing users an unlimited number of login attempts regardless of previous failures is a very easy way to leave your site open to attacks such as password guessing attacks. So it is crucial to take this into consideration when thinking about your website’s security.

With Melapress Login Security in place, any user who exceeds their login attempt limit will simply have their user blocked, leaving you in control of when they can reaccess your site.

Enabling the Failed Logins Policy

The Block Failed Logins Policy is a policy that limits login attempts and can be configured site-wide or per specific user role, like all the other policies.

Configuring the policy is very simple – to begin, simply enable the policy by checking the Enable Failed Login Policies checkbox. In turn, this will allow the settings to be configured.

Configuring the Failed Logins Policy

There are a number of parameters you can configure in this policy:

Number of log in attempts before locking a user: This is the number of attempts a user is allowed to try to log in to the website, before being locked out.

Time period required to reset the failed login counts: How long the plugin keeps a record of failed login attempts, in minutes.

When a user is locked: When configuring this policy, you can also specify if locked users can only be unlocked by an administrator, or if they can be unlocked automatically after a configurable number of minutes. By default, the site administrators have to manually unlock the users from the Locked Users tab. If you want locked users to be automatically unlocked after a specific amount of hours, check the unlock it after setting and specify the number of minutes.

Require blocked users to reset password to unblock: Finally, as one added measure of security, you can also have users who have been unblocked to also reset their password on during their next log in.

WordPress failed login policy settings

How does it work for a website user?

With the Failed Login Policies enabled, should a user attempt to log in with a bad password, in addition to the usual failure notice – the user will also be alerted that they have a limited number of attempts remaining.

When a user surpasses the number of allowed failed log in attempts, a lockout notification is shown:

Failed Logins remaining attempts

And any subsequent login attempts with that username will be blocked.

Number of allowed failed login attempts

From this moment on, the user account is locked and will be visible in the plugin’s Locked Users page. Locked users can be unlocked by using the Unlock button.

Unlock users

At this point, the user will be able to log back in as normal, and if you have the Reset password on unblock setting enabled, the user will be required to set a new password upon successful login.