Skip to content

wp-login

A WordPress site’s login endpoint (/wp-login.php) is a common target for brute force attempts and bad actors. On WordPress VIP, brute force attempts on a site’s /wp-login.php are detected and mitigated at the edge (i.e., firewall, NGINX). Dynamic security protocols are in place that can be triggered by unusual behavioral patterns to protect against unauthorized access and abuse of the login endpoint. An automated attack will trigger VIP’s dynamic security measures, and login attempts will be completely blocked.

Caution

Attempts to obfuscate the WordPress login page by altering the URL—via a plugin or otherwise—will remove VIP’s brute force login protections from the /wp-login.php endpoint.

Additional security measures are in place to protect the login endpoint for WordPress sites on the WPVIP Platform:

  • The username admin is disallowed for WordPress sites. Attempts to log in with the admin username will be blocked and the notice Logins are restricted for that user. Please try a different user account. will be displayed.
  • On a new WordPress environment, Two-Factor Authentication (2FA) is enforced for all users that have an Editor, Administrator, or Super Admin (WordPress multisite) role. As a security recommendation, 2FA should be required for all user roles regardless of capabilities. 2FA can be enforced for additional user roles in the Enforce Two-Factor Authentication module of WordPress Security Controls.

Note

Frequent user lockouts can occur if a site is behind a reverse proxy that is not correctly configured to send the original IP address of the end user in an HTTP header.

Modify the allowed number of failed login attempts

Rate limiting is in place (e.g. 5 failed attempts within 5 minutes) for requests that are made to a WordPress site’s login endpoint ( /wp-login.php).

Underlying code in VIP MU plugins protects the login endpoint by tracking the rate of incoming requests for either:

  • An IP address
  • A username
  • Or an IP address + username combination

When the threshold for failed login attempts is exceeded based on one of the above criteria, the IP address and/or username will be blocked from making further login attempts.

The allowed number of failed login attempts for a site can be modified with the VIP MU plugin filters wpcom_vip_ip_login_threshold and wpcom_vip_ip_username_login_threshold.

Custom code that uses these filters should be added to a file located within /client-mu-plugins.

For IP address

Modify the number of failed login attempts allowed for an IP address with the wpcom_vip_ip_login_threshold filter.

In this code example, the threshold limit for failed login attempts is set to 10:

/client-mu-plugins/example-file.php
add_filter( 'wpcom_vip_ip_login_threshold', function() {
    return 10;
} );

IP address + username combination

Modify the number of failed login attempts to allow for an IP address + username combination with the wpcom_vip_ip_username_login_threshold filter.

In this code example, the threshold limit is set to 1 for the number of failed login attempts by the usernames exampleuserone and exampleusertwo:

/client-mu-plugins/example-file.php
add_filter( 'wpcom_vip_ip_username_login_threshold', function( $threshold, $ip, $username ) {
    if ( 'exampleuserone' === $username || 'exampleusertwo' === $username ) {
        $threshold = 1;
    }
 
    return $threshold;
}, 10, 3 );

Clear a lockout for a locked out user

Prerequisite

VIP-CLI is installed and has been updated to the most current version.

When a login rate limit threshold has been exceeded, a lockout value is set in the vip_login_limit cache group for either the IP address, username, or IP address + username combination that exceeded the limit.

If a user receives the warning message You have exceeded the login limit. Please wait a few minutes and try again. after they attempt to log in to a site, a lockout is in place. The user will be unable to log in to the site until either the lockout time has expired or the lockout has been cleared.

The lockout value is stored in one of three possible key formats:

  • locked_<IP_ADDRESS_OF_USER> (e.g. locked_1.2.3.4)
  • locked_<USERNAME> (e.g. locked_exampleuser)
  • locked_<IP_ADDRESS_OF_USER>|<USERNAME> (e.g. locked_1.2.3.4|exampleuser)

To clear the lockout:

  1. Collect the username and IP address of the locked out user. A user can retrieve their IP address by visiting WordPress.com’s “whatismyip”.
  2. Structure the three possible key formats based on the user’s supplied username and IP address.
  3. Retrieve the lockout value from one of the three possible key formats in the vip_login_limit cache group. Use VIP-CLI to run the WP-CLI command wp cache get <key> vip_login_limit, where <key> is replaced with a key format with the user’s information.

If the WP-CLI command returns an error, the lockout value is not stored in that key. Run the WP-CLI command for a different key format until the command returns a value of 1, which confirms that the lockout value has been found. 

$ vip @example-app.production -- wp cache get locked_exampleuser vip_login_limit
===================================
+ command: wp cache get locked_exampleuser vip_login_limit
===================================

✔ Are you sure you want to run this command on PRODUCTION for site example-app? (y/N) · true
1
  1. Clear the lockout value from the vip_login_limit cache group. Use VIP-CLI to run the WP-CLI command wp cache delete <key> vip_login_limit, where <key> is replaced with the key storing the lockout value confirmed in Step 3. 
$ vip @example-app.production -- wp cache delete locked_exampleuser vip_login_limit
===================================
+ command: wp cache delete locked_exampleuser vip_login_limit
===================================

✔ Are you sure you want to run this command on PRODUCTION for site example-app? (y/N) · true
Success: Object deleted.

Clearing the failed login attempt cache key

In addition to the lockout value, a separate cache key is used to track the number of recent failed login attempts. Clearing a user’s lockout via WP-CLI removes the lockout value itself but does not reset this counter.

As a result, if the user attempts to log in again and fails, the counter will continue from its previous value and may immediately trigger another lockout.

To fully reset the user’s login state, it may be necessary to clear the failed login attempt cache key as well.

The failed login attempt value is stored in one of three possible key formats:

  • <IP_ADDRESS_OF_USER> (e.g. 1.2.3.4)
  • <USERNAME> (e.g. exampleuser)
  • <IP_ADDRESS_OF_USER>|<USERNAME> (e.g. 1.2.3.4|exampleuser)

To clear the failed login attempt cache key, follow the same steps as clearing a lockout, but use the different key format. For example:

$ vip @example-app.production -- wp cache delete exampleuser vip_login_limit
===================================
+ command: wp cache delete exampleuser vip_login_limit
===================================

✔ Are you sure you want to run this command on PRODUCTION for site example-app? (y/N) · true
Success: Object deleted.

Multisite

To clear a lockout for a user locked out of a network site on a multisite environment, the WP-CLI commands must target that specific site. Use the --url parameter to target the site by domain (e.g. --url=example.com). If a network site is not targeted by the WP-CLI command, the command will be run against the main site, typically ID 1.

Last updated: October 31, 2025

Relevant to

  • WordPress