As a WordPress developer, I quite frequently deal with clients who have had their WordPress installations hacked. The number one cause that I have seen from these hacks are short/insecure passwords. I actually dealt with so many of these issues that I wrote a small ebook called The Concise Guide to Securing WordPress and Repairing Hacks. For my clients, I also wrote a small plugin to limit the number of login attempts a user could preform. This is a highly effective way to slow down a brute force login attempt. When a hacker is blocked for even just 30 seconds for every 5 bad passwords, they are going to move onto a different site (unless they really want to hack your site).

This plugin uses the WordPress hook and transient API (which is great), by default I limit the login attempts to 5 every 30 seconds, but the error message (a simple wp_die function call) states that the user will be locked out for 5 minutes. I simply create the mu-plugins folder in all of my client’s wp-content directory and throw this code into a php file in that directory. Instantly their WordPress security is increased drastically!

Note: There is actually a plugin out there already called Limit Login Attempts, it basically has the same functionality as the code above, except they also pay attention to cookies and don’t use WordPress transients. They also have an admin interface, but I prefer to leave it in the code for a security plugin… that and being in the mu-plugins directory makes it a little safer, since it’s hard to get to from the WordPress dashboard.