WordPress: limit login attempts (without plugins)

I'm looking for a way to limit the attempts an user can make to login. I saw this plugin but it hasn't been updated in over 2 years.. and if available I always prefer a way that doesn't involve plugins. :)

Is there a variable that can be set in wp-config.php?

Otherwise, is there a way to achive this via webserver config? I have nginx 1.7.4.

I founded this class.

<?php
/**
* CLASS LIMIT LOGIN ATTEMPTS
* Prevent Mass WordPress Login Attacks by setting locking the system when login fail.
* To be added in functions.php or as an external file.
*/
if ( ! class_exists( 'Limit_Login_Attempts' ) ) {
class Limit_Login_Attempts {
    var $failed_login_limit = 3;                    //Giris Denemesi
    var $lockout_duration   = 1800;                 //Sureyi sn cinsinden giriniz. 30 dakika: 60*30 = 1800
    var $transient_name     = 'attempted_login';    //Transient used

    public function __construct() {
    add_filter( 'authenticate', array( $this, 'check_attempted_login' ), 30, 3 );
    add_action( 'wp_login_failed', array( $this, 'login_failed' ), 10, 1 );
    }

    /**
    * Lock login attempts of failed login limit is reached
    */
    public function check_attempted_login( $user, $username, $password ) {
        if ( get_transient( $this->transient_name ) ) {
            $datas = get_transient( $this->transient_name );
            if ( $datas['tried'] >= $this->failed_login_limit ) {
                $until = get_option( '_transient_timeout_' . $this->transient_name );
                $time = $this->when( $until );
                //Display error message to the user when limit is reached
                return new WP_Error( 'too_many_tried', sprintf( __( '<strong>HATA</strong>: Kimlik dogrulama sinirina ulastiniz, %1$s sonra lutfen tekrar deneyiniz.' ) , $time ) );
            }
        }
        return $user;
    }

    /**
    * Add transient
    */
    public function login_failed( $username ) {
        if ( get_transient( $this->transient_name ) ) {
            $datas = get_transient( $this->transient_name );
            $datas['tried']++;
        if ( $datas['tried'] <= $this->failed_login_limit )
            set_transient( $this->transient_name, $datas , $this->lockout_duration );
        } else {
            $datas = array(
            'tried'     => 1
        );
            set_transient( $this->transient_name, $datas , $this->lockout_duration );
        }
    }

    /**
    * Return difference between 2 given dates
    * @param  int      $time   Date as Unix timestamp
    * @return string           Return string
    */
    private function when( $time ) {
        if ( ! $time )
        return;
            $right_now = time();
            $diff = abs( $right_now - $time );
            $second = 1;
            $minute = $second * 60;
            $hour = $minute * 60;
            $day = $hour * 24;
        if ( $diff < $minute )
            return floor( $diff / $second ) . ' saniye';
        if ( $diff < $minute * 2 )
            return "yaklasik 1 dakika once";
        if ( $diff < $hour )
            return floor( $diff / $minute ) . ' dakika';
        if ( $diff < $hour * 2 )
            return 'yaklasik  1 saat once';
            return floor( $diff / $hour ) . ' saat';
    }
}
}
//Enable it:
new Limit_Login_Attempts();

5 Ways To Limit Login Attempts in WordPress, hey great post admin, but i want to know that there is any other way to limit the login attempts without using plugins. Reply. Cyrus. June 14. Yes. Description. Limit Login Attempts for login protection, protect site from brute force attacks.Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. WP Limit Login Attempts plugin limit rate of login attempts and block IP temporarily.

Altough the post is quite old I will provide my findings because I couldn't find the answer myself until today. Looked in the codex and whatnot, but everywhere I got ordered to use a plugin - which I do not want.

So to answer your question:

Is there a variable that can be set in wp-config.php?

No, there is not a variable you can set in wp-config.

Otherwise, is there a way to achive this via webserver config? I have nginx 1.7.4.

I am no webserver magician but I guess not.

But! - From this blog post by Etienne Tremel I got that there is a filter:

add_filter( 'authenticate', (...)

and function hook:

add_action( 'wp_login_failed', (...)

you can use to tap into the login-process. With that information I was able to anticipate on login-attempts with my own custom code.

In his blog-article you'll find a copy paste piece of code to dump in your functions.php file.

Limit login attempts without a plugin? – WordPress security plugin , So, if you want to protect your site without using plugin you need: Know PHP well. Know enough about authentication filter and action (built-in to the WordPress) to hook them. I recommend to start from hooks like 'authenticate' and 'wp_login_failed'. Beschreibung. Limit Login Attempts for login protection, protect site from brute force attacks.Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. WP Limit Login Attempts plugin limit rate of login attempts and block IP temporarily.

The best place to start would be downloading and looking under the hood of a plugin that already does this. Studying what methods can be employed will help you in your implementation regardless if the plugin is up to date or not.

Here are more options you can look at: http://www.privacydusk.com/other-privacy/best-wordpress-plugins-to-limit-login-brute-force-attacks/

WordPress: limit login attempts (without plugins), I founded this class. <?php /** * CLASS LIMIT LOGIN ATTEMPTS * Prevent Mass WordPress Login Attacks by setting locking the system when� Limit Attempts plugin is a security solution for WordPress which protects your website from spam and brute-force attacks. Limit the number of failed login attempts per user and block user IP for a certain period of time based on your settings. This will stop automated scripts to generate a large number of different combinations and hack your

Protecting this kind of functionality is indeed best done outside this application and even it's programming language.

Denying connections is typically the task of a firewall and this also protects the webserver.

Put these two together you quickly arrive at fail2ban or sshguard. A hosting company I work with has done exactly that, so I know it's possible to do that. They use a four strikes and you're out policy. I'm not sure if their code is public, but it shouldn't be to hard to come up with a recipe, both have excellent documentation.

How to Limit Login Attempts in WordPress, There are many WordPress plugins available to limit the invalid login Limit Login Attempts Duration: 2:28 Posted: Jul 1, 2019 Limit login attempts without a plugin? How to protect WordPress login page without using a plugin You can find plenty of comments and advice on that on the Internet.

How to Limit Login Attempts in WordPress Site, to secure WordPress sites by limiting login attempts without a plugin, we� Limit Login Attempts. By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations. This can be easily fixed by limiting the failed login attempts a user can make.

WordPress Limit Login Attempts: How To Do It?, It also goes beyond just limiting login attempts WordPress limit login attempts without a plugin. Rename or change login page URL – Rename the default wordpress login URL (slug) to something different from original wp-login.php or wp-admin to prevent automated brute force attacks. Display remaining attempts on Login Page- It will provide an option to inform user about to their remaining attempts on login page.

WP Limit Login Attempts – WordPress plugin, Limit rate of login attempts and block IP temporarily. Brute force attack protection. GDPR compliant. Captcha enabled. Today is the first time I am posting a comment for the above issue, I am using Limit Login Attempts plugin and it really helps me in keeping my website secure as per day I see 10-15 failed login attempts, but sometimes it is locked for 24 hours, which restrict us also.

Comments
  • Have you seen http://codex.wordpress.org/Brute_Force_Attacks#Plugins?
  • I still use Limit Login Attempts as an MU Plugin and it works great for me.
  • Not sure why people keep missing the without plugins part in the question.
  • Study a plugin and learn the "method". Is there a method that sets a variable? This is something that can easily be learned by examining what's already out there. That will assist the OP can find a way to implement this without a plugin.
  • Writing your own plugin our using another makes little difference. In fact a third party plugin is then preferable. Using the principles but modifying a core file becomes hard to maintain.
  • That is questionable. It really depends on ones programming skills and knowledge of the wordpress plugin architecture.