Many administrators and website owners balk at the sight of failed login attempts on their WordPress site – yet, these are more common than you might think. While they’re not necessarily a threat to website security, understanding what they are and how to limit login attempts can help you ensure better website security.
In this article, we will go through what failed login attempts are, how to determine risk, and finally, how to limit them.
What are failed login attempts?
Failed login attempts result from someone entering the wrong login credentials at the login page. This can be either the wrong username, password, or both. Failed login attempts fall into two categories – a user mistyping their credentials or a non-user trying to guess credentials. We will cover this in greater detail later in this article.
If you’ve recently come across failed login attempts on your WordPress website, don’t panic. By carrying out some quick troubleshooting, we can quickly find out whether these failed attempts are likely genuine or not.
Where to find a record of all login attempts
The easiest way to keep a record of all login attempts is by installing a WordPress activity log plugin like WP Activity Log. This WordPress plugin enables you to keep a record of all user and system activity on your website, including successful and failed logins.
Furthermore, you can easily set up WordPress events notifications that are sent to you via email or SMS whenever a particular activity occurs, such as a failed login.
WP Activity Log tracks two types of failed logins, giving you a clear picture of what is happening.
- Event ID 1002 tracks attempts to log in with a username that exists on your WordPress but a wrong password
- Event ID 1003 tracks attempts to login in with a username that does not exist on your WordPress website
In the screenshot, you’ll notice the log keeps track of the following:
- The event ID as described above
- Severity of the event
- The date and time of the event
- The user that attempted to log in (this will show as System if the user doesn’t exist)
- IP address from where the request originated
- Object class, in this case, it’ll be either User (known user) or System (unknown user)
- Event type, telling us whether it was a failed login or a successful login
- The log message
You’ll also notice that System failed login events include a downloadable log file. This file will tell you which username was used for the failed login attempt.
You can view all logged activities through the Activity Log Viewer. If you’re running the premium edition, you can also filter for particular events, making it super easy to quickly find out whether there have been any failed login attempts, the time, their IP address, and other useful information.
As mentioned earlier, you can also set instant notifications and reports that are automatically sent out according to your preferred schedule.
Who’s trying to log in?
Failed login attempts can feel quite unsettling – however, not all failed login attempts should be cause for alarm. There are several reasons why you’re seeing failed login attempts – these include:
Crawlers: The web is filled with creepy crawlies looking to harvest data. Legitimate crawlers, such as those used by Google and other reputable search engines, do not try to log in to websites. Not-so-legitimate crawlers, however, may attempt to log in.
Genuine users: Anyone can forget their password, especially if they haven’t had their morning cup of coffee yet. This can be especially true if the person trying to log in does not use a password manager.
Many users fear forgetting their passwords and tend to use simple passwords that are easy to remember. The downside to this is that easy passwords are easy to crack – which may lead to a security breach. We will discuss this in a bit more detail later.
Hackers: Sometimes, failed logins result from hackers attempting to access your system. In most cases, hackers use bots to automate the process of trying many usernames and password combinations. This type of attack is called a brute force attack and comes in several flavors.
What are the risks of failed login attempts?
Not all failed login attempts are equally risky. We can quickly determine the level of risk by looking at the behavior of failed login attempts. We need to look at a few things:
Number of login attempts
A single or a few failed login attempts generally indicate a genuine user. On the other hand, a large number of persistent attempts may suggest that trouble is brewing. The number of failed login attempts should also take time into consideration – we will discuss this in more detail shortly.
If all of the attempts are for one user account, check with the user whether they experienced any login issues. You should force a WordPress password reset for that account as a safety precaution. On the other hand, if you see many different WordPress users experiencing failed login attempts, this might be a sign that someone is trying to breach your WordPress.
The IP address can indicate quite a few things, including where the user is from. However, that user could be using a VPN, an onion router, or a proxy – thus masking their true IP.
You can also match the IP address to the username and see whether it’s the same IP they always use or it suddenly changed. Keep in mind that the user may have started to use VPN recently, so it’s worth investigating further before making any assumptions.
Did the failed login attempts occur over a short period or a more extended period? In genuine cases, you can expect a low number of attempts, say between two and five, over an extended amount of time as the person trying to login in tries to remember their password as they question themselves over a cup of tea.
Hackers know they’ve probably got the wrong password, and they use a bot to help them attempt as many passwords as possible over a short period of time. Keep in mind that hackers can also choose to take the longer route and attempt a few different passwords every now and again to try to mimic human behavior.
How to limit failed login attempts on WordPress
The best way to limit failed login attempts is to use Melapress Login Security – our WordPress login security plugin that helps you implement different security policies for your login. The plugin offers tons of functionality; however, this article will focus on limiting login attempts.
In this section, we will go through a tutorial on how to set up and configure the Melapress Login Security plugin.
Step 1: Download and install the plugin
Melapress Login Security can be purchased directly from the developer’s website. A few different plans are available, so you can choose the one that best fits your website. You can also start by downloading the 14-day free trial for risk-free testing before purchasing.
Once you purchase the plugin or sign-up for the trial, you will receive an email with a license key and a download link. Download the plugin and install it through your WordPress dashboard just like any other plugin. Ensure you enter the license key when prompted to, and you’re off to the races.
Step 2: Enable policies
Melapress Security Login’s failed login policy forms part of the password and login policies. This security feature is designed to help you limit login attempts. To this end, you must first enable password & login security policies by navigating to Login Security> Login Security Policies. Check the Enable password & login security policies checkbox, then scroll down to Enable Failed Login Policies and check the checkbox.
Step 3: Configure your failed login policy
The Melapress Login Security policy configurator offers several configuration options, giving you the freedom to customize your policies to your needs and requirements.
- Number of log in attempts before locking a user: This setting allows you to specify the number of login retries a user is permitted before their account is locked.
- Time period required to reset the failed logins count: Define how long the failed logins counter
- When a user is locked: Accounts on lockout can either be unlocked automatically after a lockout time has passed, or manually by an administrator.
- Required blocked users to reset passwords on unblock: You can choose to have users whose account has been unblocked to set a new password.
Once you’ve made your selections, click on the Save Changes button to activate the policy.
Once you save the policy, it will be automatically activated for the WordPress login page. You can also activate the policy for 3rd party plugins such as WooCommerce, LearnDash, and others. Simply navigate to the Forms & Placement menu and choose from the available plugin integrations.
Additional steps for improved login security
As the old adage goes, prevention is better than cure. Having a failed logins policy is one of the best preventative measures you can take to limit login attempts. However, there are other security measures you can take to ensure the continued safety of your WordPress website. Here are the best security measures you can take to ensure your WordPress login is as secure as possible.
We also touched upon CAPTCHA – the ubiquitous test present in many logins and forms that is designed to let humans pass while stopping bots and other forms of automated attacks. The CAPTCHA 4WP plugin makes implementing such tests super easy while offering universal compatibility and support for different versions.
In increasing the security of login processes, WordPress two-factor authentication is a must-have. Through this process, users need to authenticate a second time by entering a one-time passcode provided through their smartphone. By employing 2FA, which you can easily do through plugins such as WP 2FA, you can ensure that even if passwords get compromised, unless the person has the phone tied to that user account, they will not be able to log in.
Disable inactive users
Inactive WordPress user accounts are a prime target for bad actors since illegitimate activity tends to go unnoticed. With no upside to leaving them active, deactivating inactive accounts should be a no-brainer.
Inactive users can be disabled manually or automatically using Melapress Login Security. Once the account is disabled, users would need to get in touch to have their account reactivated. You can also choose to have the users reset their password on reactivation for additional security.
Going a step further (Optional)
With the password and failed login policies, CAPTCHA, and two-factor authentication in place, you should be well covered.
However, if your website still experiences large volumes of failed login attempts, you should consider using a CDN service. You might want to speak to your web hosting provider to assist you with implementing a solution suitable for large-scale attacks.
WordPress password security requires a 360 approach
As we saw throughout the article, you must consider several factors when implementing a failed login policy. While blocking failed WordPress logins is a good first step (and a necessary one), by taking a 360 approach, you can be that much safer. Not only does this help you cover all of your bases, but it can also help you inspire more trust and confidence in your WordPress website.
A 360-degree approach looks at several factors, including plugins and theme updates, two-factor authentication, etc. This way, you can ensure that your WordPress security is in tip-top shape.
Frequently Asked Questions
Should I blacklist IPs of failed login attempts?
Blocking IPs of failed login attempts is often touted as one surefire way to cut off bad actors at the knees. While there is some truth to this, anyone can easily change their IP in seconds, potentially turning this exercise into an endless cat-and-mouse game.
If you have a limited number of users, you might want to consider whitelisting IPs instead, but keep in mind that most ISPs (Internet Service Providers) do not assign static IPs to their customers. Users might also choose to log in from a different location (whether it’s an emergency or otherwise), potentially turning whitelisting into a nightmare.
Do failed login attempts affect site performance?
Unless you’re under a DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack, failed login attempts are not going to make a noticeable impact on your WordPress performance. Of course, if you’re already using all available server resources, you might see a negative impact. This might also be the case if login attempts are at a high volume/high frequency.
Do firewalls block failed login attempts?
Generally speaking, firewalls do not block failed login attempts. Keep in mind that a legitimate user can very easily forget their password. As such, blocking them at the firewall level might not be ideal. This is why Melapress Login Security is such an invaluable WordPress security tool, as it allows you to set rules and effectively manage failed logins.
Which WordPress security plugins limit login attempts?
There are several plugins available that limit login attempts. Since WordPress allows unlimited login attempts by default, plugins offer a quick an easy solution to this security risk. Melapress Login Security offers a well-rounded WordPress login security solution that not only limits login attempts but also allows you to set password and inactive user policies to improve your site’s security.
*** This is a Security Bloggers Network syndicated blog from WP White Security authored by Joel Barbara. Read the original post at: https://www.wpwhitesecurity.com/wordpress-failed-login-attempts/