If you manage a WordPress website, security should always be a top priority. One common threat is brute-force login attempts, where bots or malicious users try to guess your admin credentials by repeatedly entering usernames and passwords. Using a plugin can help but what if you prefer to avoid adding more plugins to your site?

In this article, we’ll explain how to lock your WordPress login page after multiple failed attempts without using any plugins. These methods are for those who want better security without bloating their site.

Why You Should Limit Login Attempts

By default, WordPress allows unlimited login attempts. This means an attacker can try thousands of password combinations without being stopped. Locking access after a few failed attempts:

• Helps prevent brute-force attacks.

• Reduces unnecessary load on your server.

• Sends a signal that your site has basic defenses in place.

Prerequisites

Before you proceed, make sure you have:

• Access to your web hosting control panel or FTP/SFTP.

• Basic knowledge of editing WordPress or server files.

• A backup of your site just in case.

Method 1: Use .htaccess to Block Failed IPs

If you’re using Apache web server, you can use the .htaccess file to monitor and restrict access to the login page.

Step 1: Create a Custom Fail2Ban Rule (for sysadmins)

This part is more advanced and is generally handled on server-level with log tracking and firewall rules. But if you’re not going that far, skip to the manual method below.

Step 2: Manually Block IPs in .htaccess

You can monitor failed login attempts through your hosting logs, and then block suspicious IPs manually.

Replace 192.168.1.100 with the actual IP address you want to block.

To permanently deny access to /wp-login.php, you can write:

This way, only you can access the login page.

Method 2: Lock Out Users with PHP Session and Counter

If you’re comfortable editing theme or site files, you can create a custom PHP script to limit login attempts by session.

Step 1: Open Your functions.php File

Go to your theme folder (usually under /wp-content/themes/your-theme/) and edit the functions.php file.

Step 2: Add the Following Code

What This Code Does:

• It starts a session to track failed login attempts.

• After 3 failed logins, the user will be locked out for 5 minutes.

• It only applies to the current browser session, not across all IPs.

Note: This method is basic and works best for small sites. For multi-user websites, consider implementing server-side rules.

Method 3: Rename the Login URL (Manually)

Though not technically limiting attempts, renaming your login page is an effective deterrent against bots.

How to Do It:

1. Open wp-login.php and rename it to something like secure-login.php.

2. Update every instance inside the file from wp-login.php to secure-login.php.

Caution: This method is not officially supported by WordPress. Core updates may break this approach.

Alternatively, configure .htaccess or Nginx to rewrite login URLs to an alias.

Method 4: Use IP-Based Firewall Rules via .htaccess

You can protect your wp-login.php and wp-admin directory with IP filtering.

This only allows access from your IP address.

Additional Tips

• Use strong passwords: Even with login limits, weak passwords can still be guessed.

• Change default username: Avoid using admin as the username.

• Monitor access logs: Check for repeated hits to the login page.

• Enable 2FA: If possible, manually implement a two-factor login mechanism.

Conclusion

Locking your WordPress login page after multiple failed attempts is a smart way to protect your site from brute-force attacks. Even without using plugins, you can take strong measures by:

• Editing .htaccess to restrict IPs.

• Writing a custom PHP script to limit login attempts.

• Renaming the login page or using IP whitelisting.

These methods might require a little technical effort, but they go a long way in enhancing your website’s security—without overloading it with unnecessary plugins.