Want to limit WordPress login attempts without plugin? 🚀
If you’ve noticed bots or hackers repeatedly trying to log into your WordPress site, you can stop them easily.
With just a few lines of PHP code, you can block brute-force attacks, limit login attempts, and secure your website — all without using any plugin.
💻 The Code to Limit WordPress Login Attempts Without Plugin
Here’s the complete working code you can paste into your site 👇
// Limit login attempts
add_action('wp_login_failed', function($username) {
$key = 'login_attempts_' . $username;
$attempts = (int)get_transient($key);
$max_attempts = 3;
$remaining = $max_attempts - ($attempts + 1);
if ($attempts >= $max_attempts) {
wp_die('❌ Too many attempts! Please try again after 5 minutes.');
}
set_transient($key, $attempts + 1, 5 * 60);
wp_die("⚠️ Login failed! Invalid username or password. Remaining attempts: $remaining");
});
// Reset attempts on successful login
add_action('wp_login', function($user_login) {
delete_transient('login_attempts_' . $user_login);
}, 10, 1);
🧩 How to Add This Code and Limit WordPress Login Attempts
You can safely add the above snippet in one of the following ways:
- Child Theme’s
functions.phpfile - Code Snippets Plugin (recommended for non-developers)
- Your own custom plugin for tweaks
⚠️ Don’t edit the main theme file — changes will disappear after updates.
🛡️ What This Code Does
✅ Limits login attempts: Only 3 failed logins allowed per user
✅ Shows remaining attempts: Clearly tells users how many tries they have left
✅ Temporary block: Locks the user for 5 minutes after 3 failed attempts
✅ Auto reset: Resets attempt count on successful login
✅ Lightweight & plugin-free: Uses only core WordPress hooks and Transients
🧠 Why Limit Login Attempts Without Plugin?
Brute-force attacks are one of the most common security threats for WordPress.
Plugins can solve it, but they add extra weight.
By using this code, you:
- Keep your site light and fast ⚡
- Reduce login attack risks
- Learn how WordPress hooks and transients work
This approach is developer-friendly, update-safe, and efficient.
⚙️ Customize the Code
You can easily change the behavior:
- Change
$max_attempts = 3;→ Increase or decrease allowed attempts - Modify
5 * 60→ Adjust block duration (seconds) - Replace
wp_die()with redirect logic
Example:
wp_redirect(home_url('/login-error/'));
exit;
Now users are sent to a friendly message page instead of seeing a raw error.
🌍 Bonus: Bangla Version (for Local Developers)
বাংলাদেশের ডেভেলপারদের জন্য ছোট্ট টিপ 🧠
নিচের কোডটি ব্যবহার করে আপনি সহজেই লগইন চেষ্টা সীমিত করতে পারবেন।
✔️ সর্বোচ্চ ৩ বার ভুল চেষ্টা
✔️ ৫ মিনিট ব্লক
✔️ সফল লগইনে স্বয়ংক্রিয় রিসেট
কোনো প্লাগইন লাগবে না — শুধু কোড কপি করে বসিয়ে দিন! 🔐
✅ Conclusion
You don’t always need heavy security plugins to protect your WordPress login.
By learning to limit WordPress login attempts without plugin, you strengthen your website using native WordPress functionality.
Lightweight, smart, and safe — that’s how professional developers keep their sites secure. 💪
📘 FAQ
Q1. Can I use this instead of a plugin like Limit Login Attempts Reloaded?
Yes! This code does the same thing — but lighter and plugin-free.
Q2. Can I adjust the time or attempt count?
Absolutely. You can change $max_attempts or timeout (5 * 60) as needed.
Q3. Will this block all users globally?
No, it tracks by username. You can extend it by IP if required.
Q4. How to reset the lock manually?
Just wait 5 minutes or log in successfully — it resets automatically.
