What is the Failed Logins Policy, and how does it work in WordPress?
When enabled, the Failed Login Policy in the Password Policy Manager plugin will block further login attempts, should a user reach the configured number of failed login attempts within a 24-hour period.
Once a user is locked out, any further attempts to log in will be met with a warning until either the user is manually unlocked by an administrator, or if desired, the user can begin to re-attempt login’s after a configurable amount of time has passed.
Why is this policy required?
Allowing users an unlimited number of login requests regardless of previous failures is a very easy way to leave your site open to attacks such as DDoS and password guessing attacks. So it is crucial to take this into consideration when thinking about your website’s security.
With the Password Policy Manager plugin in place, any user trying to login with a bad password will simply have their user blocked, leaving you in control of when they can access your site again.
Enabling the Failed Logins Policy
The Block Failed Logins Policy is a policy that can be configured site-wide or per specific user role, like all the other policies.
Configuring the policy is very simple – to begin, simply enable the policy by checking the Enable Block Failed Login Policies checkbox. This in turn will allow the settings to be edited.
Configuring the Failed Logins Policy
There are a number of parameters you can configure in this policy:
The number of log in attempts before locking the user account: this is the number of attempts a user is allowed to try to log in to the website within 24 hours, before being locked out.
When a user is unlocked: when configuring this policy you can also specify if locked users can only be unlocked by an administrator, or if they can be unlocked automatically after a configurable number of hours. By default, the site administrators have to manually unlock the users from the Locked Users tab. If you want locked users to be automatically unlocked after a specific amount of hours, check the Unlock it after setting and specify the number of hours.
Require password reset after unlocking the user: finally, as one added measure of security you can also have users who have been unblocked to also reset their password on during their next log in.
How does it work for a website user?
With the Failed Login Policies enabled, should a user attempt to log in with a bad password, in addition to the usual failure notice – the user will also be alerted that they have a limited number of attempts remaining.
When a user surpasses the number of allowed failed log in attempts, a lockout notification is shown:
And any subsequent log in attempts with that username will be blocked.
From this moment the user is considered blocked and will be visible in the Locked Users tab in the plugins settings, and can be unlocked by using the Unlock button.
At this point, the user will be able to log back in as normal, and if you have the Reset password on unblock setting enabled, the user will be required to set a new password upon successful login.