Failed logins can happen for a variety of reasons. Often, it is simply the result of a user who has genuinely forgotten their password. It happens to the best of us so that we won’t judge too harshly. Sometimes, however, something more serious might be happening – someone is trying to break in.
The art of troubleshooting failed logins
Like all other WordPress issues, troubleshooting (aka getting to the bottom of things) is the first step we need to undertake. This will help us make sure we are dealing with the actual issue and not its symptom. Fortunately, there is an easy way to start this process – look at the data. Essentially, you should see one of two things:
- Wrong username and wrong password combinations
Wrong username and password combinations can happen for one of two reasons. Either someone or something is trying to guess a username/password combination to gain access, or it’s a targeted attack. In the case of the first option, this is a pretty common occurrence. Else, it might be a targeted attack on your website either to gain access or overload your website (DoS/DDoS).
- Right username and wrong password combinations
Right username and wrong password combinations can mean one of two things. Either it’s a genuine case of someone forgetting their password, or someone has discovered an actual username registered on your WordPress and is now trying to guess the password.
One other thing that you should remember to look at is the frequency. A large number of attempts in a short period is usually the sign of an automated attack. On the other hand, a slow and irregular timeline is a tell-tale sign of a person who hasn’t had their coffee yet.
The perils of too many failed login attempt
Password-guessing attacks are quite prevalent. Too many failed WordPress login attempts are generally indicative of these kinds of attacks. Without a way to manage this, you could be leaving your site open to attacks and disruptions. Fortunately, managing this risk is very easy and requires little administrative effort.
WordPress does not offer any functionality to limit or take evasive actions when there are failed login attempts. A user can keep trying ad nauseam until they get it right. While giving people extra chances can be argued to be the ethical thing to do, imposing limits and controls can go a long way in ensuring the security and integrity of your WordPress website.
How to prevent failed login attempts on WordPress
Implementing a WordPress failed login policy is easier than it sounds. There are primarily two options to choose from, which we will now discuss.
Limit failed logins manually
If you’re looking to limit WordPress failed logins without a plugin, you can modify the active theme’s function.php file and add the relevant code. There are several ways to add custom code to WordPress websites; however, this requires a good understanding of PHP and how WordPress works.
Install a plugin
There is another and most practical option – use a plugin. Plugins come in all shapes and sizes, including plugins that just limit login attempts and plugins that allow you to enforce a password security policy on WordPress for even tighter control and security.
WPassword is one such WordPress plugin. It gives administrators greater control over how passwords are used and managed on their WordPress websites. It includes the ability to set up a policy that deals explicitly with failed login attempts, among its many other features.
Other things to consider
One other option worth mentioning is CAPTCHA. Plugins such as CAPTCHA 4WP are great at helping you stop automated attacks. Since a CAPTCHA needs to be completed before a logging attempt is made, bots behind such attacks fail the test and will not make a single login attempt.
Another option that tends to come up in conversations about failed login policies is that of blocking IPs. Through this option, the offending IP is blacklisted, preventing it from accessing your website in the first place. While this is technically correct, a persistent malicious actor can simply use a different IP – which they can do with ease. Because of this, the strategy of blocking IPs often ends up being a cat and mouse game.
One better option is to use a CDN (Content Delivery Network) and let them deal with blocking offending IPs. This can save you precious time, which you can invest in productive things.
How to design a WordPress failed login policy
Before we begin to enforce a failed login policy on a WordPress website, there are a few things that we need to think about. Like all other security-related issues, managing failed login attempts suffers from the security/usability paradox. The more secure something is, the less usable it becomes. The reverse is equally true. Not allowing anyone to log in is very secure but hardly usable. Giving users unlimited chances at logging can compromise security but increases usability.
What you need to understand is how much leeway you are willing to give your users. Traditionally, three attempts are viewed as both adequate and reasonable. Some disagree with this notion and place the maximum allowable login attempts at ten. Either way, offering unlimited login attempts is not a good strategy and can have negative repercussions.
The truth of the matter is that there is no right or wrong answer. Three is a safe number, but it will increase administrative overhead. Ten might have lower administrative overheads but carries more risk.
As such, you might want to start with limiting the number of login attempts to three and then assess the situation. When using WPassword, it’s very easy to change this number. As such, you can very easily adapt the policy to your users and circumstances.
It would be best if you also thought about what happens when an account gets locked. Should the account unlock automatically after a pre-configured time window, or should an administrator unlock it manually? This question succumbs to the same problem as before: you need to decide between usability and security. Another essential aspect that might influence this part of the policy is the location of your users. If people are logging in from the other side of the world, are you happy to wake up at two in the morning to unlock an account? And if not, how long should a user wait before they can log in again? Will this impact their productivity or your bottom line?
Choosing the right plugins (and policy) to manage WordPress failed logins
Once you understand what you would like your password and failed logins policy to look like, you need to start working on the implementation. We previously mentioned WPassword as a prime candidate. It offers many configuration options, allowing you considerable leeway when configuring and implementing your password policy.
Once you enable the failed logins policy for WordPress, you can choose how many attempts users have before their account is locked. You can also decide how it’s unlocked and whether you want to force users to change their passwords or not, as explained below.
Step 1: Install and activate WPassword
Installing WPassword is easy. You can download the password security plugin straight from WP White Security’s website and then upload it to your WordPress website.
Once you install the plugin, click on Plugins from the WordPress side menu, locate the plugin, and click on Activate. This will add a new menu option called Password Policies, which you need to click on.
Step 2: Enable the Failed Logins Policy
Tick the checkbox next to Enable Failed Logins Policies to limit failed login attempts on your WordPress website. Enter the Number of failed login attempts before locking a user, with 3 – 5 generally considered a good start.
Other configuration options include what happens once an account is locked and whether blocked users are required to reset their password on unblock. Refer to the WordPress failed logins policy knowledge-base article for more information.
Step 3: Take additional security measures
We also touched upon CAPTCHA – the ubiquitous test present in many logins and forms that is designed to let humans pass while stopping bots and other forms of automated attacks. Plugins such as CAPTCHA 4WP make implementing such tests super easy while offering universal compatibility and support for different versions.
In increasing the security of login processes, two-factor authentication is a must-have. Through this process, users need to authenticate a second time by entering a one-time passcode provided through their smartphone. By employing 2FA, which you can easily do through plugins such as WP 2FA, you can ensure that even if passwords get compromised, unless the person has the phone tied to that user account, they will not be able to log in.
Step 4: Going a step further (Optional)
With the password and failed login policies, CAPTCHA, and two-factor authentication in place, you should be well covered.
However, if your website still experiences large volumes of failed login attempts, you should consider using a CDN service. You might want to speak to your web hosting provider to assist you with implementing a solution suitable for large-scale attacks.
WordPress password security requires a 360 approach
As we saw throughout the article, several factors need to be considered when implementing a password policy. While blocking failed WordPress logins is a good first step (and a necessary one at that), by taking a 360 approach, you can be that much safer. Not only does this help you cover all of your bases, but it can also help you inspire more trust and confidence in your WordPress website.
A 360-degree approach looks at several factors, including plugins and themes, hosting, TLS, WordPress core, and others. This way, you can ensure that your WordPress security is in tip-top shape.