Imaginez qu’un voleur essaie à plusieurs reprises différentes clés pour s’introduire chez vous. C’est comme une attaque par force brute où les pirates essaient des milliers de combinaisons de mots de passe pour accéder à votre site.
Cela semble effrayant, mais heureusement vous pouvez facilement défendre votre site comme nous le faisons en limitant les tentatives de connexion. Cela permet de limiter le nombre de tentatives de connexion avant d’être déconnecté, ce qui empêche les pirates de s’introduire sur votre site.
Cet article vous guidera à travers le processus de configurer des limites de tentatives de connexion sur votre site WordPress. Nous explorerons pourquoi il est important pour la sécurité de votre site et nous vous guiderons à travers les étapes, même si vous n’êtes pas un expert en technologie.
Pourquoi limiter les tentatives de connexion sur WordPress ?
Une attaque par force brute est une méthode qui utilise l’essai et l’erreur pour pirater votre site WordPress.
Le type d’attaque par force brute le plus courant est la devinette de mot de passe. Les pirates utilisent des logiciels automatisés pour deviner vos informations de connexion afin d’accéder à votre site.
Par défaut, WordPress autorise les utilisateurs/utilisatrices à saisir leur mot de passe autant de fois qu’ils le souhaitent. Les pirates peuvent tenter d’exploiter cette possibilité en utilisant des scripts qui saisissent différentes combinaisons jusqu’à ce qu’ils devinent la bonne connexion.
Vous pouvez empêcher les attaques par force brute en limitant le nombre de tentatives de connexion infructueuses par compte. Par exemple, vous pouvez bloquer temporairement un compte après 5 tentatives de connexion infructueuses.
Malheureusement, certains utilisateurs/utilisatrices se trouvent bloqués hors de leur propre site WordPress après avoir tapé leur mot de passe de manière incorrecte un certain nombre de fois. Si vous vous trouvez dans cette situation, alors vous devriez suivre les étapes de notre guide sur comment débloquer Limiter les tentatives de connexion dans WordPress.
Ceci étant dit, voyons comment limiter le nombre de tentatives de connexion dans WordPress.
Tutoriel vidéo
Si vous préférez les instructions écrites, continuez à lire.
Comment limiter les tentatives de connexion sur WordPress
La première chose à faire est d’installer et d’activer l’extension Limit Login Attempts Reloaded. Pour plus de détails, consultez notre guide étape par étape sur l’installation d’une extension WordPress.
La version gratuite est tout ce dont vous avez besoin pour ce tutoriel. Une fois activée, vous devez vous rendre sur la page Réglages » Limiter les tentatives de connexion, puis cliquer sur l’onglet ‘Paramètres’ en haut.
Les réglages par défaut fonctionneront pour la plupart des sites, mais nous allons vous expliquer comment vous pouvez définir les réglages de l’extension de sécurité pour votre site.
Pour être conforme aux lois du RGPD, vous pouvez cliquer sur la case à cocher » Conformité au RGPD » pour afficher un message sur votre page de connexion. Vous pouvez en savoir plus sur le RGPD dans notre guide sur WordPress et la conformité au RGPD.
Ensuite, vous choisirez si vous souhaitez recevoir une notification lorsque quelqu’un a été verrouillé. Vous pouvez modifier l’adresse e-mail à laquelle la notification est envoyée si vous le souhaitez. Par défaut, vous serez notifié la troisième fois que l’utilisateur est bloqué.
Ensuite, vous devez défiler vers le bas jusqu’à la section Application locale, où vous pouvez définir le nombre de tentatives de connexion et le temps de verrouillage qu’un utilisateur devra attendre avant de pouvoir réessayer.
Tout d’abord, vous devez définir le nombre de tentatives de connexion possibles. Ensuite, choisissez le nombre de minutes qu’un compte devra attendre s’il dépasse ce nombre de tentatives infructueuses. La valeur par défaut est de 20 minutes.
Vous pouvez également augmenter le temps d’attente lorsque l’utilisateur a été bloqué un certain nombre de fois. Par exemple, les réglages par défaut ne permettent pas à l’utilisateur d’essayer de se connecter pendant 24 heures lorsqu’il a été déconnecté 4 fois.
Pour des raisons de sécurité, nous vous recommandons de ne pas modifier le réglage « Origines IP de confiance ».
N’oubliez pas de cliquer sur le bouton « Enregistrer les réglages » en bas de l’écran pour stocker vos modifications.
Lié à : Pour plus de détails sur cette extension, consultez notre avis complet sur Limit Login Attempts.
Astuces pour protéger votre site WordPress
Limiter les tentatives de connexion n’est qu’un moyen parmi d’autres d’assurer la sécurité de votre site WordPress.
Les mots de passe constituent la première calque de protection de votre site WordPress. Vous devez toujours utiliser des mots de passe forts sur votre site WordPress.
Les mots de passe forts peuvent être difficiles à retenir, mais vous pouvez utiliser un gestionnaire de mots de passe pour vous faciliter la tâche. Si vous gérez un site WordPress à auteurs/autrices multiples, voyez comment vous pouvez imposer des mots de passe forts aux utilisateurs/utilisatrices dans WordPress.
Si votre page de connexion WordPress est toujours attaquée, vous pouvez ajouter une autre calque de protection : Google reCAPTCHA pour la connexion WordPress. Cela aidera à réduire les attaques DDoS.
Aucun site n’est sûr à 100 %, car les pirates informatiques trouvent toujours de nouvelles façons de contourner le système. C’est pourquoi il est crucial de conserver en permanence des sauvegardes terminées de votre site WordPress. Nous vous recommandons d’utiliser Duplicator ou une autre extension de sauvegarde WordPress populaire.
Si vous avez un site d’entreprise, alors nous vous recommandons fortement d’ajouter un pare-feu qui prend en charge les attaques par force brute et plus encore. Nous utilisons Corrigé pour garantir notre sécurité, et si quelque chose arrive à notre site, leur équipe est responsable de le corriger sans frais supplémentaires.
Pour plus d’astuces sur la sécurité des sites, n’oubliez pas de consulter notre guide ultime sur la sécurité de WordPress.
Nous espérons que ce tutoriel vous a aidé à apprendre comment limiter les tentatives de connexion sur WordPress. Vous pouvez également consulter notre guide sur la façon d’ajouter des questions de sécurité à l’écran de connexion de WordPress ou notre choix d’experts des meilleures extensions de page de connexion.
Si vous avez aimé cet article, veuillez alors vous abonner à notre chaîne YouTube pour obtenir des tutoriels vidéo sur WordPress. Vous pouvez également nous trouver sur Twitter et Facebook.
Jiří Vaněk
Is there another way than a plugin? E.g. using htaccess or similar component? I have my own server and would like to have this limit on my site. However, I already have relatively enough plugins and would not like to add more. So I’m looking for a way to do it without a plugin.
WPBeginner Support
We do not have a recommended way without a plugin, a snippet would be fairly complex which is why we recommend the plugin. We also recommend taking a look at our list of how many plugins can be installed on a site to help remove your fear of having too many plugins
https://www.wpbeginner.com/opinion/how-many-wordpress-plugins-should-you-install-on-your-site/
Administrateur
Linda Willis
Thanks so much for this very helpful article on a plugin to stop the huge number of brute force attacks our site has endured recently. I’ve just installed it, using your easy to follow step by step guide to its settings. Can’t wait to see how it works!
Also followed the link to password managers. Thanks to your comments, I’m going to try LastPass again. We’ve been using Dashlane (free version) for a few years, but are frustrated by some of its rules. LastPass paid version sounds like a much better deal. Now to determine how to make the switch … easily!
Thanks again!
Linda
WPBeginner Support
Glad our article and recommendations could help
Administrateur
Adil
The outstanding article of website security. I have used this plugin in our many websites.
WPBeginner Support
Thank you, glad you found the plugin helpful
Administrateur
kristyburkholder
Good day! This is kind of off topic but I need some advice from an established blog. Is it tough to set up your own blog? I’m not very techincal but I can figure things out pretty fast. I’m thinking about making my own but I’m not sure where to start. Do you have any tips or suggestions? With thanks
WPBeginner Support
It is not overly difficult to start a blog, we have a guide on how to start one here: https://www.wpbeginner.com/start-a-wordpress-blog/
Administrateur
Paul Gent
I have Limit Login Attempts (yes, I need to update to something newer) and am being attacked all the time. I have added a new user as an administrator in an attempt to be able to access my own website without having to wait. But even then I have been kicked out before I can create any posts.
Does anyone have any advice please?
Shyam Chathuranga
Yep, you’re right. I’ve been using the Limit Login Attempts plugin for this whole time and recently, it started blocking all users instead of blocking the attacker based on his IP.
So, I guess I’ve to say bye for that plugin and use something else now.
Miguel
I recently installed WordFence to monitor my website security. It offers a feature for limiting login attempts. Consequently, I deactivated and deleted Limit Login Attempts Reloaded.
However, within WP Admin> Settings, there remains Limit Login Attempts. Do you know if that is installed by default with WP and regardless, how I can get rid of it.?
I believe that it’s overriding the settings in WordFence.
Thanks for your time,
Miguel
erlindawva
Howdy this is somewhat of off topic but I was wanting to know if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding knowledge so I wanted to get advice from someone with experience. Any help would be greatly appreciated!
WPBeginner Support
WordPress comes with a WYSIWYG editor. It also allows you to add HTML to write posts.
Administrateur
Jorge Manuel
I received the ‘exceeded maximum retries’ message today – but with an absolute correct password!
How can this be?
I just started setting up this WP site two days ago, it has no content aside from a free theme and a title. I installed login lockdown, but it is NOT activated.
it baffles me why there would be a BF attack on an obscure site name with barely 90 MB content…
Alam Khan
Hi WPBginner’s Team,
Thanks a lot for creating such a huge and useful content for WordPress users like us. I always search for solutions at your website and also get the solution every time since last 2-3 years.
Today is the first time I am posting a comment for the above issue, I am using Limit Login Attempts plugin and it really helps me in keeping my website secure as per day I see 10-15 failed login attempts, but sometimes it is locked for 24 hours, which restrict us also. Is it possible to use Login LockDown also and block wrong attempts by IP, so that our genuine users are not blocked.
Is it possible to use Limit Login Attempts plugin and Login LockDown plugin at the same time on the same website?
Thanks
Alam Khan
Founder
WPBeginner Support
Hi Alam,
We recommend using Login LockDown alone and not with limit login attempts.
Administrateur
cheryleduryea
Hmm it looks like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I as well am an aspiring blog writer but I’m still new to the whole thing. Do you have any points for beginner blog writers? I’d certainly appreciate it.
agustinpenny920
Hi, of course this article is genuinely good and I have learned lot of things from it regarding blogging. thanks.
adelaida5489
With havin so much content and articles do you ever run into any issues of plagorism or copyright violation? My blog has a lot of unique content I’ve either created myself or outsourced but it seems a lot of it is popping it up all over the web without my agreement. Do you know any methods to help prevent content from being stolen? I’d certainly appreciate it.
WPBeginner Support
Please see our guide on preventing blog content scraping in WordPress.
Administrateur
Suji
Hi
Thanks 4 d article. Informative.
Is there any option to limit the login attempts without using any plugins?
YNS
Hi,
With the a bundle of trusted plugins (which at the same time offer multiple other security feature), It’s no longer that hard to protect WordPress sites from attacks like login attempt.
Those complaining about the feature not being in-built should realize the functionality extensions are meant to serve. The WordPress ecosystem is just scalable, I really like it. But need more partnership with powerful CDN provider. In countries like China, a good plugin like JetPack becomes useless because all the IPs it connects to are malicious to the Great Firewall.
This Blog is very useful, especially when promoting successful open source WordPress projects.
Brad
One of my sites get’s nearly 100 login attempts per month. Like many of you, I find it odd since it’s not an ecommerce site and we gather no user information. I installed Wordfence Security plugin which offers lock out options for any incorrect username as well as by IP and even entire countries.
It also has several other defenses which have proved to be invaluable. The web isn’t safe without some sort of protection. If you any of you know of a better one, please share.
Safe Programming!
Brad
Ed Dogan
I like this better
https://www.wpbeginner.com/wp-tutorials/how-to-limit-access-by-ip-to-your-wp-login-php-file-in-wordpress/
marian chapa
hey.. i forgot my admin password for my website.. how can i get access to edit my site
WPBeginner Support
Please see our guide what to do when locked out of WordPress admin area.
Administrateur
Steve
No one has mentioned Jetpack, which has a module called Brute Protect. This blocks users from suspicious IP addresses automatically. It is based on a global network that can track spammers from all over the web.
Pete
Thank you for another the tip. I use BackupBuddy and I love that it automatically runs my backups but it also enables users to easily migrate sites to other servers. Especially going from a local host to a live server.
Donna
Its funny I get this email b/c I work up to 27 attempts at my site over night from all over the world.. I mean really what do they want I have a sewing and fashion blog? What they attempt to gain from this taking over my site and pay them?? I just changed my settings a few days ago prior to this article because I was getting quite a few hacks.. Now this am over 27 which is the most I have ever seen.
Connor Rickett
Is that a question that really needs an answer? Because it prevents brute force hacking (or at least slows it way down).
Why WP doesn’t come with limited login attempts out of the box, now THAT’S a question that I’d like to see a blog post addressing.
Iza
I am using Limit Login Attempts in combination with another great safety plug-in called WP-Ban. The Limit Login Attempts plug-in sends me an e-mail after second I believe unsuccessful login attempt with the IP of the user. I paste this user into Ban plug-in and next time, the user will not be able to try log-in at all. Just another layer of security against trolls.
Nika
Limit Login Attempts hasn’t been updated in over 3 years. It’s outdated. Login LockDown has poor functionality and why it’s recommended here I don’t know.
A few weeks ago I’ve installed WP Cerber instead.
It looks like a strong solution. It does all the things as expected.
WPBeginner Support
We do not agree that Login Lockdown has poor functionality. It does exactly what it says. We haven’t tested WP Cerber yet so we cannot comment on that.
Administrateur
Joris Heyndrickx
I think it’s time WordPress should have configurable paths so that we finally can het rid of example.com/wp-admin. I saw requests for this, 8 years ago.
Jon Schear
I’ve used this a couple times. Brought the usual load of 50 emails an hour about lockout notifications down to 0.
Recaptcha is another good one, but much more difficult to implement.
Han Balk
I switched from LLA to Wordfence, because of all the extra security features it’s got.
Every Operating System has a feature to limit login attempts. I know WordPress is a CMS and not an OS, But it is a mature CMS and the WordPress community would greatly benefit of a buitlin login limitation that’s enabled by default. A lot of WordPress sites are « vulnerable » for unlimited login attempts, because they’re not properly protected and the owners are not security aware.
It can’t be that difficult to built in a login limitation and enable it by default in one of the forthcoming WordPress versions?
Howard
Limit Login Attempts has not been updated in a couple of years, and has some « holes » in it. I discovered this in my logs, where I found nearly 100 « lockouts » in a 10-minute period from the same IP. The lockouts were activated after the 2nd unsuccessful attempts, and were supposed to be for 72 hours. They were coming so fast that it was an effective DoS, and required some effort to get it stopped. It’s fairly obvious that the script kiddie has bypassed the lockout. The attacks from that IP address stopped when I was finally able to add it to the deny list in .htaccess.
.
I still use LLA for the limited but useful information and notifications, but I don’t rely on it to keep my site secure.
FranE
I notice this functionality on some of my sites, even though they don’t have the plugin installed. Is it included in certain themes? Maybe Genesis?
WPBeginner Staff
We are not aware of any themes including this functionality. Remember themes are not supposed to add functionality to your WordPress site. Functionality comes under plugins. May be it is something added by your web host?
Grayhambo
There appear to be some compatibility issues with this plugin with WP 4.0, as it hasn’t been updated in over 2 years. Can lock you out of the admin panel. If this happens, then you need to disable the plugin in the usual way, using something like cPanel access.
Joe
Seems to still work fine on all 10 of my wp sites
Torben Heikel Vinther
Sounds like a good and simple plugin, but why not use Better WP Security instead? BWS has a whole section about Limit Login Attempts AND many other security issues in one single plugin! In addition BWS was last updated 2013-8-24. Limit Login Attempts hasn’t been updated since 2012-6-1!
Editorial Staff
Torben, there are a lot of plugins that offers this functionality. Limit Login Attempts is a simple plugin that does one thing and does it real well. That’s not to say that BWS is a bad solution. It’s a very good solution (over 1 million downloads on the plugin already proves that).
Administrateur
Nika
I’ve been using the Limit Login Attempts plugin for my sites for a while. Now this plugin is outdated. Be honest. Did you use Limit Login Attempts on your site?
WPBeginner Support
Since it has expired we have updated the article and replaced it with login lockdown plugin.
abdelhafidcom
what about login lookdown plugin ? is it useful ? should i replace with this plugin ?
wpbeginner
@abdelhafidcom That’s also good. It does the same thing. It just hasn’t been updated in a while.
AlbertAlbs
Thanks for sharing this WordPress security information.
ColeRuddick
Excellent tip! As WordPress is the most widely used platform out there now, site security should be something all users are taking seriously and this plugin is a great help. Thanks for sharing!
namaserajesh
Agree with you, Limit Login Attempts is very good plugin to protect our WordPress blog.
joeytribbiani
I prefer Login Lock. It is officially compatible up to version 3.3.1
http://wordpress.org/extend/plugins/login-lock/
merrittsgret
@joeytribbiani Login Lock effectively blocked everyone out of my site recently. I’m switching to Limit Login Attempts.
Aqif
i prefer to not consume ready:)
Alan
Thanks for this!
doug_eike
I’ve been looking for ways to protect my blog, and your plugin suggestion looks as if it might be helpful. I’ll take a look at it. Thanks!