WordPress – Limit Login Attempts Without Plugin

The following code provides a mechanism for limiting the number of login attempts within a specified timespan, without requiring the use of a Plugin. This functionality can be particularly useful in preventing Brute Force Attacks, which is a method used by hackers to guess passwords, login credentials, and encryption keys through trial and error.

Here the code:

if ( ! class_exists( 'liin_Limit_Login_Attempts' ) ) {

class liin_Limit_Login_Attempts {

    /**
     * The number of attempts allowed
     *
     * @since    1.0.0
     * @access   protected
     * @var      int    $attempts.
     */
    protected $attempts;


    /**
     * The number of seconds blocked
     *
     * @since    1.0.0
     * @access   protected
     * @var      int    $seconds_locked.
     */
    protected $seconds_locked;


    public function __construct() {
        $this->attempts = 5;
        $this->seconds_locked = 60;
        add_action( 'wp_login_failed', [ $this, 'login_failed' ], 10, 3 );
        add_filter( 'authenticate', [ $this, 'authentication' ], 30, 3 );
    }


    /**
     * Handle authentication based on the login attempts
     *
     * Triggered by the 'authenticate' filter hook. The Hook is used to perform additional validation/authentication any time a user logs in to WordPress.
     *
     * @since    1.0.0
     */
    public function authentication( $user, $username, $password ) {
        $transient = get_transient('liin_limit_login_attempt');
        if ( $transient && $transient > $this->attempts ) {
            $transient_expiration = get_option( '_transient_timeout_liin_limit_login_attempt' );
            $waiting_seconds = abs( $transient_expiration - time() );
            return new WP_Error( 'limit_login_attempt', sprintf( __( 'You are blocked for %1$s seconds' ) , $waiting_seconds ) );
        }
        return $user;
    }


    /**
     * Handle login failure
     *
     * Triggered by the 'wp_login_failed' action hook. Fires after a user login has failed.
     *
     * @since    1.0.0
     */
    public function login_failed( $username ) {
        $transient = get_transient('liin_limit_login_attempt');
        if ( $transient ) {
            $attempts = $transient + 1;
            set_transient('liin_limit_login_attempt', $attempts);
        } else {
            set_transient('liin_limit_login_attempt', 1, $this->seconds_locked);
        }
    }

}

new liin_Limit_Login_Attempts();

}

The class includes two properties, namely $attempts and $seconds_locked. The $attempts property is initialized to 5, representing the maximum number of attempts allowed before the user is blocked. The $seconds_locked property is initialized to 60, representing the timespan within which the login attempts cannot be exceeded.

The __construct() method initializes the class properties and registers two hooks, namely ‘authenticate’ and ‘wp_login_failed’. The ‘authenticate’ filter hook is used to perform additional validation/authentication whenever a user logs in to WordPress, while the ‘wp_login_failed’ action hook is used to handle login failures.

The authentication() method checks whether the user has exceeded the maximum number of login attempts and, if so, blocks the user for a specified duration. The login_failed() method is called whenever a user fails to log in, and it updates the number of attempts for that user.

If you have suggestions for improving the code, please send an email. It should be noted that the code’s functionality is provided without any guarantee or responsibility.

Credits

Image by Adam Mechedal on Unsplash