How to block repeated failed logins

Can anyone suggest a more efficient way to block constant “failed login” attempts on our site?

Right now, I’m pasting every IP into Access Rules in Firewall, but they just keep switching IP address numbers. I’ve noticed a number come from certain Reverse IPs (eg. .vn or .eu) and wondered if there were a way to block them that way. My one at a time method is hugely time-consuming and, obviously, not overly effective!

I’m pretty new at this and only moderately technical. Still, if anyone can help me through this, I would really appreciate it!

Thanks for any suggestions,


some ideas:

  • implement google recaptcha at your logn form(and backend)
  • there is “protect my login” (firewall=> Rate Limiting) make sure to enable it(it cost money)
  • create a page rule like enabling “I am under attack mode” only on your login url.
  • implement a 2 step verification at your end that’s way even if they will manage to bypass all this stuff and guess your password they will get blocked

I used to have this issue, but it’s gone now that I have my login page protected by Access. Once you set it up, legit users will be asked to authenticate their ID via one of the ID providers, such as Google, GitHub etc. In my case I have a WordPress website, so besides wp-login.php, I also protect via Access the whole of /wp-admin/. Once authenticated at the login level, the user won’t be asked again (for a period of time you chose) and can go straight to the /wp-admin/ pages. As Access will block the users before they reach my web application, I also was able to remove some of the firewall rules I had created specifically against hackers trying to probe my login page, freeing up a few User-Agent Blocking and IP firewall rules.

Wow, boynet2, thanks so much for so quick a reply…and for so many suggestions. I’ll work my way through them to see which ones I can figure out and let you know how I do.

I had tried a recaptcha once before and found it didn’t help with the failed logins; it just drove me crazy having to do enter a password every time I logged into our site’s admin panel so I removed it. Guess entering a password at my end would be faster than what I have to do now to block the blasted failed logins, however!Winking smile

Back to you soon…and thanks again,


Thanks for your reply, floripare…apologies for not seeing this earlier. Will spend some time working to understand both sets of suggestions and post back with success or questions.

I appreciate both of you trying to help me out here!


This topic was automatically closed after 30 days. New replies are no longer allowed.