WordPress Limited Login Attempts Integrated

12 April 2013

The "Limit Login Attempts" WordPress plugin can now be enabled as part of the standard Installatron WordPress install to help improve WordPress login security. When enabled, the rate of WordPress login attempts will be limited, including by way of cookies, for each IP. Website owners can enable this option for new installs and for existing installs.

This is not the best solution to prevent WordPress logins from being bruteforced. While limiting login attempts helps, server load will still be affected by the increased traffic, and attackers can employ a wide range of IP addresses to circumvent the block. Deploying a Web Application Firewall (WAF) can specifically target this traffic and provide a generally superior solution to the same problem.

Notes for service providers:

The option to enable limited login attempts for WordPress will become available for your customers with the next forced or automatic Installatron Update. This option can be disabled at Installatron Admin >> Features (bottom of the page).

While not necessary, limited login attempts can be forcibly enabled for all existing WordPress installs on a server by executing the below command from the server SSH root command prompt. If any problems are encountered with limited login attempts, the feature can be disabled per installed application using the UI's "view/edit details" button or with a variation of the same SSH command (swap 'on' to 'off' and optionally change --id to target a specific install).

/usr/local/installatron/installatron --edit --id='*' --limitloginattempts on