WordPress Login Attempt Limiting: How Many Attempts Before Lockout?

Finding the Right Balance

Login attempt limiting is your primary defense against brute force attacks, but the settings matter. Too restrictive and you'll lock out legitimate users who mistype passwords. Too lenient and attackers have enough attempts to guess weak passwords. This guide helps you find the optimal configuration for your WordPress site.

Understanding the Trade-offs

Too Few Attempts (2-3)

Pros:

• Stops brute force very quickly
• Maximum security

Cons:

• Users locked out for typos
• Frustration for legitimate users
• More support requests

Too Many Attempts (10+)

Pros:

• Rarely locks out legitimate users
• Less support burden

Cons:

• Attackers get many guesses
• Weak passwords vulnerable
• Higher server load from attacks

Recommended Settings

For Most Sites: 5 Attempts

The default of 5 attempts works well for most WordPress sites:

• Legitimate users rarely fail 5 times
• Attackers can't make meaningful progress
• Good balance of security and usability

For High-Security Sites: 3 Attempts

Sites with sensitive data (e-commerce, membership, enterprise):

• 3 attempts before lockout
• Combined with 2FA (which eliminates lockout frustration)
• Users warned to use password managers

For High-Traffic Sites: 5-7 Attempts

Sites with many users or customers logging in:

• Slightly higher threshold
• Shorter lockout duration (15 minutes)
• Mandatory 2FA compensates for the extra attempts

Lockout Duration Settings

First Lockout: 15-30 Minutes

• 15 minutes: Good for high-traffic sites where lockouts are more likely accidental
• 30 minutes: Standard recommendation, balances security and convenience

Progressive Lockouts

WP Folder Shield can increase lockout time for repeat offenders:

• 1st lockout: 30 minutes
• 2nd lockout: 1 hour
• 3rd lockout: 4 hours
• 4th+ lockout: 24 hours (or permanent block)

Configuring WP Folder Shield

Basic Settings

1. Go to Folder Shield > Settings > Login Security
2. Enable "Limit Login Attempts"
3. Set "Max Login Attempts": 5
4. Set "Lockout Duration": 30 minutes

Auto-Block Settings

1. Enable "Auto-Block After Repeated Lockouts"
2. Set "Lockouts Before Block": 3
3. Set "Block Duration": 24 hours

Special Considerations

When 2FA is Enabled

If all admin users have 2FA enabled, you can be slightly more lenient with password attempts—the 2FA provides the real protection.

For Developer/Agency Sites

If multiple developers access the site:

• Whitelist office IP addresses
• Use standard limits for external IPs
• Consider IP-based 2FA bypass for trusted networks

For Membership Sites

Sites where many users log in regularly:

• 5-7 attempts before lockout
• 15-minute lockout duration
• Clear messaging on lockout page
• Easy password reset process

Handling Lockout Complaints

Proactive Communication

• Explain login limits to users
• Encourage password managers
• Provide clear password reset process

When Users Get Locked Out

1. Wait for lockout to expire
2. Use password reset if password forgotten
3. Admin can whitelist IP if needed
4. Admin can clear lockout manually

Monitoring Effectiveness

Check Security Logs

Review logs for:

• Legitimate users being locked out (too restrictive?)
• Attackers getting many attempts before lockout (too lenient?)
• Patterns in attack IPs

Adjust Based on Data

If you see:

• Many legit lockouts → Increase attempts to 7, add 2FA
• Successful brute force → Decrease attempts to 3, require 2FA
• Same IPs attacking repeatedly → Enable threat intelligence

Recommended Configuration Summary

Conclusion

There's no universal "right" setting for login attempt limits—it depends on your site, users, and risk tolerance. Start with WP Folder Shield's defaults (5 attempts, 30 minutes), monitor your logs, and adjust based on what you see. Combined with 2FA and other protections, these limits form a critical defense against brute force attacks.