Search Knowledge Base by Keyword

What is the Failed Logins Policy, and how does it work in WordPress?

You are here:

When enabled, the Failed Login Policy in the Password Policy Manager plugin will block further login attempts, should a user reach the configured number of failed login attempts within a 24-hour period.

Once a user is locked out, any further attempts to log in will be met with a warning until either the user is manually unlocked by an administrator, or if desired, the user can begin to re-attempt login’s after a configurable amount of time has passed.

Why is this policy required?

Allowing users an unlimited number of login requests regardless of previous failures is a very easy way to leave your site open to attacks such as DDoS and password guessing attacks. So it is crucial to take this into consideration when thinking about your website’s security.

With the Password Policy Manager plugin in place, any user trying to login with a bad password will simply have their user blocked, leaving you in control of when they can access your site again.

Enabling the Failed Logins Policy

The Block Failed Logins Policy is a policy that can be configured site-wide or per specific user role, like all the other policies.

Configuring the Failed Logins Policy

Configuring the policy is very simple – to begin, simply enable the policy by checking the Enable Block Failed Login Policies checkbox. This in turn will allow the settings to be edited.

Configuring the Failed Logins Policy

There are a number of parameters you can configure in this policy:

The number of log in attempts before locking the user account: this is the number of attempts a user is allowed to try to log in to the website within 24 hours, before being locked out.

When a user is unlocked: when configuring this policy you can also specify if locked users can only be unlocked by an administrator, or if they can be unlocked automatically after a configurable number of hours. By default, the site administrators have to manually unlock the users from the Locked Users tab. If you want locked users to be automatically unlocked after a specific amount of hours, check the Unlock it after setting and specify the number of hours.

Require password reset after unlocking the user: finally, as one added measure of security you can also have users who have been unblocked to also reset their password on during their next log in.

How does it work for a website user?

With the Failed Login Policies enabled, should a user attempt to log in with a bad password, in addition to the usual failure notice – the user will also be alerted that they have a limited number of attempts remaining.

Failed Logins remaining attempts

When a user surpasses the number of allowed failed log in attempts, a lockout notification is shown:

Number of allowed failed login attempts

And any subsequent log in attempts with that username will be blocked.

Lockout notification

From this moment the user is considered blocked and will be visible in the Locked Users tab in the plugins settings, and can be unlocked by using the Unlock button.

Locked Users tab

At this point, the user will be able to log back in as normal, and if you have the Reset password on unblock setting enabled, the user will be required to set a new password upon successful login.