WordPress • Limit Login Attempts Without Plugin

The following code provides a mechanism for limiting the number of login attempts within a specified timespan, without requiring the use of a Plugin. This functionality can be particularly useful in preventing Brute Force Attacks, which is a method used by hackers to guess passwords, login credentials, and encryption keys through trial and error.

Here the code:

if ( ! class_exists( 'liin_Limit_Login_Attempts' ) ) {

class liin_Limit_Login_Attempts {

    /**
     * The number of attempts allowed
     *
     * @since    1.0.0
     * @access   protected
     * @var      int    $attempts.
     */
    protected $attempts;


    /**
     * The number of seconds blocked
     *
     * @since    1.0.0
     * @access   protected
     * @var      int    $seconds_locked.
     */
    protected $seconds_locked;


    public function __construct() {
        $this->attempts = 5;
        $this->seconds_locked = 60;
        add_action( 'wp_login_failed', [ $this, 'login_failed' ], 10, 3 );
        add_filter( 'authenticate', [ $this, 'authentication' ], 30, 3 );
    }


    /**
     * Handle authentication based on the login attempts
     *
     * Triggered by the 'authenticate' filter hook. The Hook is used to perform additional validation/authentication any time a user logs in to WordPress.
     *
     * @since    1.0.0
     */
    public function authentication( $user, $username, $password ) {
        $transient = get_transient('liin_limit_login_attempt');
        if ( $transient && $transient > $this->attempts ) {
            $transient_expiration = get_option( '_transient_timeout_liin_limit_login_attempt' );
            $waiting_seconds = abs( $transient_expiration - time() );
            return new WP_Error( 'limit_login_attempt', sprintf( __( 'You are blocked for %1$s seconds' ) , $waiting_seconds ) );
        }
        return $user;
    }


    /**
     * Handle login failure
     *
     * Triggered by the 'wp_login_failed' action hook. Fires after a user login has failed.
     *
     * @since    1.0.0
     */
    public function login_failed( $username ) {
        $transient = get_transient('liin_limit_login_attempt');
        if ( $transient ) {
            $attempts = $transient + 1;
            set_transient('liin_limit_login_attempt', $attempts);
        } else {
            set_transient('liin_limit_login_attempt', 1, $this->seconds_locked);
        }
    }

}

new liin_Limit_Login_Attempts();

}

The class includes two properties, namely $attempts and $seconds_locked. The $attempts property is initialized to 5, representing the maximum number of attempts allowed before the user is blocked. The $seconds_locked property is initialized to 60, representing the timespan within which the login attempts cannot be exceeded.

The __construct() method initializes the class properties and registers two hooks, namely ‘authenticate’ and ‘wp_login_failed’. The ‘authenticate’ filter hook is used to perform additional validation/authentication whenever a user logs in to WordPress, while the ‘wp_login_failed’ action hook is used to handle login failures.

The authentication() method checks whether the user has exceeded the maximum number of login attempts and, if so, blocks the user for a specified duration. The login_failed() method is called whenever a user fails to log in, and it updates the number of attempts for that user.