Auto-Block IPs After Failed WordPress Login Attempts: Best Practices

The Case for Auto-Blocking

Auto-blocking IPs that repeatedly fail login attempts seems like a no-brainer security measure. An IP that's been locked out multiple times is almost certainly an attacker, right? While often true, auto-blocking requires careful configuration to avoid blocking legitimate users and creating support headaches.

How Auto-Blocking Works

The Process

1. IP fails login X times
2. IP is temporarily locked out
3. Lockout expires, IP tries again
4. After Y lockouts, IP is blocked for extended period (24+ hours)

WP Folder Shield Configuration

• Max Login Attempts: Attempts before lockout (default: 5)
• Lockout Duration: How long lockout lasts (default: 30 min)
• Auto-Block Threshold: Lockouts before permanent block (default: 3)
• Block Duration: How long to block (default: 24 hours)

Benefits of Auto-Blocking

Stops Persistent Attackers

Automated attacks run continuously. Without auto-blocking, attackers just wait out lockouts and continue. Auto-blocking forces them to use new IPs.

Reduces Server Load

Blocked IPs don't make it to WordPress at all, saving server resources.

Cleaner Logs

Fewer repeated attacks from the same IPs means more meaningful security data.

Contributes to Threat Intelligence

Blocked IPs can be shared with threat intelligence networks, helping protect other sites.

Risks of Auto-Blocking

Legitimate User Lockout

Users who forget passwords and try many times can get blocked. This is especially problematic for:

• Membership sites with many users
• E-commerce sites with customer logins
• Sites where users share IP (offices, universities)

Shared IP Problems

Many users share IPs:

• Corporate networks
• University campuses
• Mobile carrier networks (CGNAT)
• Some ISPs

Blocking one attacker could block thousands of legitimate users.

VPN/Proxy Complications

VPN users share exit IPs. Blocking one VPN IP affects all users of that VPN server.

Best Practices for Auto-Blocking

1. Set Reasonable Thresholds

Require multiple lockouts before blocking:

• 5 failed attempts = 30-minute lockout
• 3 lockouts (15 failed attempts) = 24-hour block

This ensures only persistent attackers get blocked.

2. Use Temporary Blocks

24-hour blocks rather than permanent:

• Attackers move on to easier targets
• Accidental blocks eventually expire
• No permanent list maintenance needed

3. Whitelist Important IPs

Add these to your whitelist:

• Your home/office IP
• Team member IPs
• Known corporate network ranges
• Important partner IPs

4. Enable 2FA

With 2FA enabled, you can afford higher thresholds because password guessing alone won't grant access.

5. Provide Recovery Path

Ensure blocked users can:

• Contact support
• Use password reset
• Access from different IP if needed

Configuring WP Folder Shield Auto-Block

Recommended Settings

For High-User Sites

More lenient to avoid blocking legitimate users:

• Max Attempts: 7
• Lockouts Before Block: 5
• Or: Disable auto-block, rely on lockouts + 2FA

For High-Security Sites

More aggressive blocking:

• Max Attempts: 3
• Lockouts Before Block: 2
• Block Duration: 72 hours
• Mandatory 2FA for all users

Monitoring Auto-Blocks

Regular Review

Check blocked IPs periodically for:

• Legitimate user IPs (whitelist them)
• Patterns in attacker IPs (geolocation, ASN)
• Effectiveness (are attacks decreasing?)

User Complaints

Track support requests about login issues. If increasing:

• Thresholds may be too low
• Shared IP problem
• Need better password reset flow

Alternative: Threat Intelligence

Instead of only blocking based on your site's data, use WP Folder Shield's Threat Intelligence:

• Pre-block known attacker IPs
• Benefit from data across 10,000+ sites
• Block attackers before they even try

Conclusion

Auto-blocking persistent attackers is an effective security measure when configured correctly. The key is finding the right thresholds: aggressive enough to stop attacks, lenient enough to avoid blocking legitimate users. Start with WP Folder Shield's defaults (3 lockouts = 24-hour block), monitor the results, and adjust based on your site's specific needs. Combined with whitelisting, 2FA, and threat intelligence, auto-blocking forms one layer of a comprehensive login security strategy.