Dealing with Failed Logins on Your WordPress

Last updated on June 26th, 2020 by Robert Abela. Filed under WordPress Security

Many alarm themselves when they notice failed logins on their WordPress websites and blogs. On the other hand, security and tech savvy people do not bother much about failed login attempts; stating that it is the norm.

Does your WordPress website receive a lot of failed login attempts? In this article I explain why your WordPress get such attacks. I also explain what you should do about them and how to improve the login page security.

You notice too many failed login attempts on your WordPress

Those who install a WordPress activity log plugin on their website are typically surprised by the number of failed login attempts their WordPress websites get. The below is a post from the WP Activity Log plugin support forum. It basically sums up what many WordPress administrators might think:

Does this plugin really work?

The audit log shows my blog gets so many failed log attempts from various countries like Ukraine, Russia, Vietnam, China etc.. almost everyday. I am not sure why so many people want to hack my small site. It doesn’t even have many contents. I don’t even make any profit from my site as I don’t have any ad or anything. so why my site gets so many failed log attempts? today some random person from Ukrain tried 10+ times to access to my and my partner’s account. I am not sure this plugin really works or it just generates some false alarms or something.

What the user reported were not false alarm. If you install a WordPress audit trail plugin on your WordPress websites you will see the same type activity, even if your website is not popular.

Why are hackers targeting your website?

The majority of attack attempts on your WordPress are not targeted specifically at your website, as explained in Targetted VS non-targetted WordPress attacks. They are automated malicious bots trying to guess your users’ passwords. Their goal is to find WordPress websites with weak credentials. TIP: enforce strong WordPress password policies.

Your WordPress website is the recipient of such attacks because it is online. They are in no way related to how popular your website is. In fact these attacks are very generic and every website on the internet is a target. Even non WordPress websites receive such type of requests, because most bots just send requests to any responding domain.

Do failed login attempts impact your website’s performance?

In the majority of cases they do not have an effect on the performance of your WordPress website. The only cases where failed WordPress login attempts can slow down a website, or consume an abnormal amount of bandwidth are during brute force/dictionary attack launched specifically against your WordPress login page, which could also lead to a Denial of Service.

What are the risks of too many failed login attempts?

As long as you use strong WordPress passwords, there are no security risks.

Should I harden the WordPress login page?

Even though failed WordPress logins bear no security risks, you should always try to make it more difficult for attackers. For example, you should:

Should I block offending IP addresses?

One commonly suggested remediation for thwarting failed login attacks on your WordPress is to block the offending IP address(es). Unless your website is a target of a brute force attack, I would not recommend going down that route. Attackers can easily bypass such blockage, so you’ll end up in a cat and mouse game.

Start with the basics – use strong credentials, enable 2FA and follow best practises

Like almost in everything else, start by addressing the basics. Avoid using common usernames such as admin, root, or your first name. Use a combination of letters and numbers for your usernames and a combination of letters, numbers and special characters for your passwords. Here are some tips on what makes a strong WordPress password.

Other WordPress login page security improvements

  1. Only access your WordPress login page on HTTPS since it is very easy for attackers to capture your WordPress username and password.
  2. Implementing two-factor or HTTP authentication (the best WordPress two-factor authentication (2FA) plugins).

Bonus WordPress login page security tip

If you always access the WordPress dashboard from the same IP address / location, restrict access to your IP address only. For more information on how to restrict access to a specific IP address or how to enable HTTP authentication refer to out definitive guide of htaccess and WordPress.


John 07/02/2020

Basically if you have a strong password (at least 15 characters long), and change it once a year, you should be fine. I get hundreds of failed login attempts every day, so I just change my password often and don’t even look at the audit trail anymore…

Robert Abela 13/02/2020

Very good point John. Indeed, if you use a strong password and 2FA you should be sorted. But you would still need to review the activity logs from time to time, just ignore the failed logins 🙂

Mike Moy 08/04/2020

Not good, not good.

-Even though failed WordPress logins bear no security risks, in response to this statement, no that absolutely incorrect. You have to realize that every failed login attempt is one step closer for an attacker achieving a successful brute force attack. The times they can get to try different passwords the better change an attacker has.

Should I block offending IP addresses – yes absolutely you should block offending IP addresses for a pre-determined amount of time if not permanently. If hacker is having to change their IP address constantly it will make your site less appealing for a hacker to put in effort compared to a site that does not block IP addresses.

Also you should be logging IP addresses for repeat offenders. Display an onscreen message informing them that their IP address has been logged. Use it as a deterrent. Report it to the relevant authorities and their internet service provider if known.

Also if hackers are using a particular username to try brute force attack access then block that account from accessing your site for let’s say 20 minutes every time they fail to log in 5 times in a row. Track number of failed login in attempts per username. Again if a Hacker is only able to try 5 passwords every 20 minutes it will act as a deterrent. Hackers want to be using thousands of passwords per hour to make an effective brute force attack.

-Avoid using common usernames such as admin, root, or your first name, in response to this statement you should be aware that if you make blog posts with your account on your wordpress website anyone can get your username. So if you are making blog posts you should be doing it with an account that has very limited permissions, that way if that account does get hacked damage limitation will be in place. You don’t want you account with admin privileges getting hacked. Don’t blog post with a high level account it takes about 2 seconds just by reading through the page code in the browser it will not matter what you changed your username to.

Also plugins are not good for security, they are one of the biggest vulnerabilities on wordpress. Plugins contain code that you did not write. Plugins can contain vulnerable code. If you use plugins you are completely relent on the plugin owner/developer to ensure that the plugin code is kept up to date and that there are no new security issues with their code. The less plugins the better.

Protect your data and protect your website members/users data. Restrict file and folder access as much as possible. If a user does not need access to certain directories on your server then restrict access. Log onto your server and check what permissions you have set for the various directories and files on your server. Start by making sure that users don’t have access to your wp-config.php file, it contains your database username and password. You don’t want people being able to log into your database, or they will have access to every single user account on your website including yours. I’m probably gone a bit off script here but you get the idea.

Website security is a layered approach, you should not be relying on a single fail point i.e. just use a strong password and you are good. Don’t be an idiot.

Robert Abela 15/04/2020

Thank you for your comment Mike.

I do agree with you that one should not use common usernames (such as admin and root), however, blocking IP addresses and doing all that work (like keeping a record of repeating offenders) is like playing a never ending cat and mouse game. Unless your website is targeted by a large scale brute force attack, you should not go down that route.

Also, saying that the plugins “are one of the biggest vulnerabilities in WordPress” and that they “contain code that they did not right” is untrue, very misleading and sensationalism. Quite frankly, all of the software you use to host your website (the Apache web server, the operating system it is running on, the countless services that make up the web server) and WordPress itself were not written by you.

We should try to be more constructive and realistic when talking about security etc. Pointing fingers and saying “everything is wrong / bad / insecure” is counter productive and won’t lead us forward.

My 2c.

Mike 27/04/2020

@Robert Abela

I didn’t say “everything is wrong / bad / insecure”. Instead I actually gave specific examples of insecurities and advice for how to avoid those specific insecurities as I felt there was some mis-information on the page.

You state that because WordPress and Apache software is considered secure we should also consider wordpress plugins secure. They are not the same, the difference is WordPress and Apache software is well established and has been tried and tested on millions of installations over many many years. Where as wordpress plugins are not by default, for example a guy with 2 weeks coding experience could create a wordpress plugin riddled with security issues and publish it for anyone to download and install. This coupled with the fact that a plugin might not get necessary updates is why wordpress plugins are one of the biggest security risks. Sure there are many great wordpress plugins out there that have well written code but there are also many security vulnerable plugins. Because WordPress and Apache software is secure does not mean that a wordpress plugin is secure.
I do not agree that it is a cat and mouse game with regards to blocking IP addresses, if you not problematically blocking then you are allowing hackers to execute brute force attacks or denial of service attacks. One hacker could guess thousands of login passwords in a single day. I would be taking the logic that if an IP address has 50 failed login attempts in a single day that they should be banned as they are clearly not genuine, as a genuine user would have used the ‘forgot password’ mechanism after a few failed attempts.
Netflix and Amazon Prime block certain IP addresses also on their platforms for licencing purposes, they don’t see it as a cat and mouse game. Please explain your logic as to why you are advising people not to block IP address ?

Robert Abela 29/04/2020

Thanks for your response @Mike.

1) I never said that because WordPress and Apache are considered secure we should also consider WordPress plugins secure. I said that saying (quoting you) “Also plugins are not good for security, they are one of the biggest vulnerabilities on wordpress. Plugins contain code that you did not write.” is very misleading. The world is not black and white, but there are many shades of colours in between. And the same applies here, like in everything else. So we could be more accurate by saying “There are many good and well maintained plugins, but there are also many unmaintained and potentially vulnerable plugins. So not to jeopardize the security of your website always use a well maintained, reliable plugin.”

2) Comparing a WordPress website (of any size) to Netflix and Amazon is like comparing oranges to apples. Most WordPress site owners do not have the same resources and infrastructure to do that. And someone abusing a license (resulting in loss of money) is different than an IP generating failed logins. The same to what I said in regards to plugins applies here, there is no good or bad here. Trying to keep a record of offending IPs is a cat and mouse game. However, if you do notice that some IPs are in fact generating a high number of failed logins, then speak to the web host and they will take care of it. Addressing this problem at WordPress level is very inefficient. It is time consuming and resource hungry.

Typonaut 30/07/2020

I agree with Mike. If you are getting repeated login attempts then you should block the IP addresses and report the issue to the ISP concerned. The reason you should do this is, as Mike suggests, because this is just a symptom of a bigger attack. Although you might only get a few attempts from a particular IP (typically I am seeing three at a time), these aggregate over time (where the same IP address does the same thing, over an extended period of time) and between different IP addresses.

So, multiple attempts from multiple IP addresses add-up to a distributed brute-force attack over time.

Robert says you don’t want to spend the time tracking all those IP addresses and individually banning them. But you don’t have to. Use an automated process to block the bot at the device’s firewall. For example, using fail2ban to scan your server logs will automatically ban IP addresses (after a certain number of attempts – which you can set) for a period you can determine, and report the incident to the ISP.

Robert Abela 31/07/2020

I am not saying one should not report any IP addresses at all. The way these things should be dealt with is on a case by case basis. My point was that you will always get a handful of failed logins on a daily basis on your site, and the more popular it becomes, the more you will get. It is not worth trying to block the IP addresses that generate such a small amount of failed logins. However, one should use a sort of online CDN / firewall service that helps in mitigating this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

Our other plugins