Skip to main content
How Can We Help?
< All Topics
Print

Login Rate Limiting

Posted
Updated
Byadmin

WARNING: Enabling this setting can temporarily lock out legitimate users after repeated failed logins. Verify that the configured thresholds match the site’s support and access requirements before turning it on.

Description

The Login rate limiting control appears under Brute-force Protection in the Authentication & Accounts section. It slows repeated failed login attempts by IP, username, and unknown-username probes using thresholds, rolling windows, and lockout durations.

Use this set of controls when you want to apply rate limits and temporary lockouts to repeated failed login attempts against your WordPress site.

Procedure – Enable login rate limiting

  1. In WordPress admin, open Posture Management.
  2. Select Authentication & Accounts.
  3. In the Brute-force Protection card, locate Login rate limiting.
  4. Turn on the Enable toggle.
  5. Review and adjust the trigger and lockout settings as needed:
    • Failed attempts
    • Time window minutes
    • Unknown username attempts
    • Unknown username window minutes
    • Initial lockout seconds
    • Maximum lockout seconds
    • 24-hour failure threshold
    • Long lockout seconds
  6. Click Save Authentication Settings.

Validation – Login rate limiting

  1. Reload Posture Management → Authentication & Accounts and confirm the Enable toggle remains on for Login rate limiting.
  2. Use a test account to generate repeated failed logins and confirm that rate limiting or lockout behavior occurs according to the configured thresholds.
  3. Confirm that login access is restored when the lockout period ends.

Trigger Settings

Failed attempts

Description

Failed attempts appears in the Trigger group for Login rate limiting. It controls how many failed login attempts are allowed before the first lockout is applied.

Use this setting to define the number of failed logins permitted within the time window before rate limiting begins.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. Ensure Login rate limiting is enabled.
  3. In the Trigger section, locate Failed attempts.
  4. Enter the desired numeric value.
  5. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm Failed attempts shows the saved value.
  2. Trigger failed logins with a test account and confirm that the first lockout begins after the configured number of failures within the active Time window minutes.

Time window minutes

Description

Time window minutes appears in the Trigger group for Login rate limiting. It defines the rolling time window used to count failed attempts toward the first lockout.

Use this setting to define the time range in which failed login attempts are evaluated.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. Ensure Login rate limiting is enabled.
  3. In the Trigger section, locate Time window minutes.
  4. Enter the desired numeric value (in minutes).
  5. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm Time window minutes shows the saved value.
  2. Trigger failed logins and confirm that lockout behavior is evaluated across the configured rolling window.

Unknown username attempts

Description

Unknown username attempts appears in the Trigger group for Login rate limiting. It controls how many login attempts using non-existent usernames are allowed before limiting begins.

Use this setting to define the threshold for username enumeration or probing with invalid usernames.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. Ensure Login rate limiting is enabled.
  3. In the Trigger section, locate Unknown username attempts.
  4. Enter the desired numeric value.
  5. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm Unknown username attempts shows the saved value.
  2. Attempt repeated logins using a non‑existent username and confirm that limiting occurs after the configured number of attempts.

Unknown username window minutes

Description

Unknown username window minutes appears in the Trigger group for Login rate limiting. It defines the rolling time window used to count unknown‑username attempts.

Use this setting to define the period in which invalid-username login attempts are counted toward their own threshold.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. Ensure Login rate limiting is enabled.
  3. In the Trigger section, locate Unknown username window minutes.
  4. Enter the desired numeric value (in minutes).
  5. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm Unknown username window minutes shows the saved value.
  2. Attempt repeated logins with a non‑existent username over time and confirm the counting behavior matches the configured rolling window.

Lockout Behavior Settings

Initial lockout seconds

Description

Initial lockout seconds appears in the Lockout behavior group for Login rate limiting. It defines the duration of the first lockout applied after a trigger condition is met.

Use this setting to control how long the initial lockout lasts when rate limiting first activates.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. Ensure Login rate limiting is enabled.
  3. In the Lockout behavior section, locate Initial lockout seconds.
  4. Enter the desired lockout duration (in seconds).
  5. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm Initial lockout seconds shows the saved value.
  2. Trigger the first rate‑limit lockout and verify that the lockout duration matches the configured value.

Maximum lockout seconds

Description

Maximum lockout seconds appears in the Lockout behavior group for Login rate limiting. It sets the upper limit for lockout duration when exponential backoff or escalating lockouts are used.

Use this setting to cap the maximum lockout duration regardless of continued failures.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. Ensure Login rate limiting is enabled.
  3. In the Lockout behavior section, locate Maximum lockout seconds.
  4. Enter the desired maximum lockout duration (in seconds).
  5. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm Maximum lockout seconds shows the saved value.
  2. Generate repeated failures over time and confirm that lockout escalation does not exceed the configured maximum duration.

24‑hour failure threshold

Description

24‑hour failure threshold appears in the Lockout behavior group for Login rate limiting. It defines how many failures in a 24‑hour period trigger the “long lockout” behavior.

Use this setting to decide when persistent failures across a full day should result in a longer lockout.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. Ensure Login rate limiting is enabled.
  3. In the Lockout behavior section, locate 24‑hour failure threshold.
  4. Enter the desired numeric value.
  5. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm 24‑hour failure threshold shows the saved value.
  2. With a test account or environment, trigger sufficient failed logins over a 24‑hour period and confirm that the long lockout behavior activates once the threshold is reached.

Long lockout seconds

Description

Long lockout seconds appears in the Lockout behavior group for Login rate limiting. It sets the lockout length applied after the 24‑hour failure threshold is exceeded.

Use this setting to define the duration of the long lockout for persistent failure conditions.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. Ensure Login rate limiting is enabled.
  3. In the Lockout behavior section, locate Long lockout seconds.
  4. Enter the desired long lockout duration (in seconds).
  5. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm Long lockout seconds shows the saved value.
  2. Trigger enough failures to cross the configured 24‑hour threshold and confirm that the resulting lockout duration matches the Long lockout seconds value.

Activity Notes

Clear log

Description

The Clear log button appears in the Activity notes group of Login rate limiting, within the expandable section titled Recent rate-limited activity (last 7 days). It clears the visible record of recent rate‑limited events from the admin view.

Use this control when you want to clear the recent rate‑limit activity log.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. In Login rate limiting, expand Recent rate-limited activity (last 7 days).
  3. Click Clear log.
  4. When prompted with Clear recent rate-limit log?, confirm the action.
  5. Click Save Authentication Settings if required by the page workflow.

Validation

  1. Reopen Recent rate-limited activity (last 7 days) and confirm that the previous entries are no longer shown.
  2. If no activity remains, the UI should indicate that there are no recent rate‑limit events in the last 7 days.

Account Monitoring

Track each user’s last successful login time

Description

Track each user’s last successful login time appears under Account Monitoring. When enabled, the Users screen shows additional columns with last-login information for each user.

Use this setting when you want to track and review each user’s most recent successful login.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. In the Account Monitoring card, enable Track each user’s last successful login time.
  3. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm the checkbox remains selected.
  2. Sign in with a test user.
  3. Open the Users screen and confirm that last-login information is visible for that user.

Record failed login attempts since the last success

Description

Record failed login attempts since the last success appears under Account Monitoring. When enabled, the Users screen shows columns that reflect failed login attempts for each user until their next successful login.

Use this setting when you want to monitor failed attempts per user between successful logins.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. In the Account Monitoring card, enable Record failed login attempts since the last success.
  3. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm the checkbox remains selected.
  2. Generate failed logins for a test user.
  3. Open the Users screen and confirm that failure counts or indicators appear as expected for that user.

Reset password after days inactive

Description

Reset password after days inactive appears in the advanced portion of Account Monitoring under Show lifecycle thresholds. The help text notes that setting the value to 0 disables the action.

Use this setting to define after how many days of inactivity users must reset their password upon next login.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. In the Account Monitoring card, expand Show lifecycle thresholds.
  3. In Reset password after days inactive, enter the desired number of days (or 0 to disable).
  4. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm the field shows the saved value.
  2. If a non‑zero value is configured, use a test account that has been inactive for at least the configured period (or adjust timing in a test environment) and confirm that a password reset is required when the user next signs in.

Delete account after days inactive

Description

Delete account after days inactive appears in the advanced portion of Account Monitoring under Show lifecycle thresholds. The help text notes that 0 disables the action and that administrators are always skipped.

Use this setting to define when inactive non‑administrator accounts should be deleted automatically.

Procedure

  1. In WordPress admin, open Posture Management → Authentication & Accounts.
  2. In the Account Monitoring card, expand Show lifecycle thresholds.
  3. In Delete account after days inactive, enter the desired number of days (or 0 to disable).
  4. Click Save Authentication Settings.

Validation

  1. Reload Authentication & Accounts and confirm the field shows the saved value.
  2. If a non‑zero value is configured, verify in a test environment that:
    • a non‑administrator test account is deleted only after the configured inactivity period, and
    • administrator accounts are not deleted by this control.
Table of Contents