WordPress is the world’s most widely used blogging platform, capable of building various types of websites including blogs, CMS systems, and online stores. You might assume that with low traffic, security isn’t a priority for your site. But what you may not realize is that many hackers use automated software to scan websites across the internet.
Since 30% of all websites are built on WordPress, many hackers specifically target sites using this platform. Botnets and hackers exploit leaked databases online to repeatedly attempt logging into your site. They cycle through different login credentials until successful, allowing them to steal your data, install malware, or even delete all content from your site.
If your site uses weak passwords detected by hackers, it becomes vulnerable to exploitation. Protecting your site from brute-force attackers and maintaining its security is crucial. While you can try other solutions like setting strong passwords or password-protecting the admin directory, installing a brute-force protection plugin offers a simpler approach. All you need to do is choose the most suitable plugin and let it handle the work.
What is a Brute-Force Attack
In the internet realm, a brute-force attack is a method of cracking website passwords using specific dictionaries and combinations. Hackers employ software to automatically repeat attempts with different passwords until they successfully match your website’s password.
Nearly every website is scanned for passwords by bots daily—you just don’t realize it.
9 WordPress Brute-Force Login Protection Plugins
- Loginizer
- Limit Login Attempts Reloaded
- WP Limit Login Attempts
- Limit Attempts by BestWebSoft
- Limit Login Attempts
- WPS Limit Login
- Jetpack
- Brute Force Login Protection
- Botnet Attack Blocker
Loginizer
Loginizer is one of the best open-source and free brute-force login protection plugins for WordPress. With over 800,000 active installations, it offers both a free and pro version. Even the free features effectively shield your site from malicious attacks.
Features in the login program include:
- Block IP after maximum retries allowed
- Extend lockout after maximum lockouts allowed
- Email notification to admin after maximum lockouts allowed
- Blacklist IP / IP range
- Whitelist IP / IP range
- Check logs for failed attempts
- Create IP range
- Delete IP range
- Licensed under GNU GPL Version 3
- Secure and reliable
Download link:https://wordpress.org/plugins/loginizer/
Limit Login Attempts Reloaded
Limit Login Attempts Reloaded restricts login attempts only through normal logins with valid cookies. This plugin prevents brute-force attacks by limiting login attempts, ensuring only legitimate users gain site access.
Features:
- Limit login retries per IP address. Fully customizable.
- Restrict logins using authorized cookies in the same manner.
- Display remaining retries or lockout duration on the login page.
- Optional logging and email notifications.
- IP and username whitelisting/blacklisting.
- Sucuri Website Firewall compatibility.
- XMLRPC gateway protection.
- Woocommerce login page protection.
- Multisite compatibility with additional MU settings.
- GDPR compliant. When enabled, all logged IPs are obfuscated (md5-hashed).
- Custom IP source support (Cloudflare, Sucuri, etc.).
Download link:https://wordpress.org/plugins/limit-login-attempts-reloaded/
WP Limit Login Attempts
WP Limit Login Attempts is another powerful WordPress security plugin. It currently boasts over 40,000 active installations and a 4.5-star rating.
Limit login attempts to protect your site from brute force attacks. Brute Force Attacks aim to be the simplest way to gain site access: they repeatedly try usernames and passwords until they succeed. WP Limit Login Attempts temporarily restricts login attempts and blocks IP addresses. It detects bots through CAPTCHA verification.
Features:
- Login Security: Limits login attempts and tracks user login attempts
- CAPTCHA
- Lightweight plugin
- Mechanism to slow down brute force attacks
- Redirects to homepage during abnormal requests (stops hacking tools)
- GDPR compliant. When enabled, all logged IPs are obfuscated (md5-hashed).
Download link: https://wordpress.org/plugins/wp-limit-login-attempts/
Limit Attempts by BestWebSoft
The Limit Attempts plugin is a WordPress security solution that protects your site from spam and brute-force attacks. It limits the number of failed login attempts per user and blocks user IPs for a set period based on your configuration. This prevents automated scripts from generating countless combinations to crack your site.
Manage blacklists and whitelists, receive email notifications, hide site forms from blocked or blacklisted IPs, and access other advanced features ensuring data security.
Features:
- This plugin automatically blocks IP addresses attempting login after exceeding the allowed number of login attempts.
- Allows manual marking of IPs for Whitelist and Blacklist.
- You can hide login and registration information from blocked IPs.
- You can display any custom Captcha error message to blocked users upon invalid attempts.
- Multilingual support.
Download link:https://wordpress.org/plugins/limit-attempts/
Limit Login Attempts
Limit Login Attempts is another popular WordPress login protection plugin, primarily designed to shield against brute-force attacks.
Features:
- Login Security – Limits login attempts and tracks user login attempts
- Brute Force Attack Protection – Restricts the number of allowed login attempts and safeguards user accounts from attacks
- Anti-Spam – Google reCAPTCHA to protect users from spam
- IP Restriction – Restricts IP addresses or IP ranges to prevent invalid login attacks
- Rename or Change Login Page URL – Renames the default WordPress login URL (slug) to something different from the original wp-login.php or wp-admin to prevent automated brute force attacks.
- Display Remaining Attempts on Login Page – Provides an option to notify users of their remaining login attempts on the login page.
- Spam Protection – Offers spam protection and disables/blocks IP addresses after a certain number of attempts.
- Disable XML-RPC – A simple option to disable XML-RPC in WordPress. Most WordPress users don’t need XML-RPC and can disable it to prevent automated brute-force attacks.
- Inactive User Logout – Automatically log out users if they haven’t performed any actions within a specified timeframe.
- Administrator Email Alerts – Notify users via email alerts about IP blocks and unusual activity on their accounts.
Download link:https://wordpress.org/plugins/miniorange-limit-login-attempts/
Limit Login Attempts also has a pro version:Brute Force Login Security, Spam Protection & Limit Login Attempts
WPS Limit Login
WPS Limit Login is a full-featured, powerful login protection plugin for WordPress. By default, WordPress allows unlimited login attempts, making brute-force attacks relatively easy. WPS Limit Login is here to save your website.
Limit the number of possible connection attempts via the login page and authentication cookies. By default, WordPress permits unlimited login attempts through the login page or by sending special cookies. This allows passwords (or hashes) to be cracked relatively easily through brute-force attacks.
WPS Limit Login restricts login attempts and blocks further attempts from an IP address once a specified limit is reached, making brute force attacks difficult or impossible.
Product Features:
- Limit the number of retries during login (per IP). This is fully customizable.
- Restrict login attempts using authorization cookies in the same manner.
- Notify users of remaining attempts or lockout duration on the login page.
- Logging and optional email notifications.
- Manage servers behind reverse proxies.
- IP address whitelisting/blacklisting.
- Compatible with Sucuri website firewalls.
- XMLRPC gateway protection.
- Woocommerce protection for login pages.
- Multisite compatible with other MU settings.
Download link:https://wordpress.org/plugins/wps-limit-login/
Jetpack
Jetpack, provided by WordPress.com, offers a comprehensive solution (avoid using domestic servers as they may be inaccessible) to protect your WordPress site from bots and malware attempting to crack weak login credentials. It’s recognized as the most robust plugin in the brute-force protection domain.
This plugin also aids in spam filtering and uptime monitoring. Most importantly, you can scan for malware and log changes made to your site. The number of blocked spam comments or malicious attacks on your site will be stored on the “Brute Force & Malware Protection – On-Demand Backup & Restore Settings” page.
Beyond brute force protection, Jetpack supports site performance and management. This includes image optimization, mobile responsiveness, and advanced site statistics and analytics to understand your audience.
Pros
- Offers numerous features beyond security, including performance optimization and site management
- Provides two-factor authentication (2FA)
Cons
- Requires upgrading to access advanced features
Download link:https://wordpress.org/plugins/jetpack/
Brute Force Login Protection
Similar to other login attempt restriction plugins, Brute Force Login Protection blocks automated scripts and malicious actors from repeatedly entering usernames and passwords on your WordPress login page.
Installed on over 20,000 sites with a 4.1-star rating, this plugin clearly addresses the issue.
The plugin works with minimal configuration. You can view blocked IP lists or manually block IPs from the “Settings” page, and it supports IP whitelisting.
Similar to Limit Login Attempts Reloaded, this plugin allows you to delay logins after failed attempts, helping to slow down brute force attacks. Users face a short 5-10 minute interval between two failed login attempts.
If your admin IP gets blocked, edit the .htaccess file (if you have FTP access) and remove the “deny from abcd” line (where abcd is your IP) to log in. No FTP access? Access the admin panel from another IP and remove it from the blocked list.
Advantages
- Slows down brute-force attacks
- Sends an email to the administrator when an IP address is temporarily banned
- Simple and easy to use
Disadvantages
- Updates are slow.
Download link:https://wordpress.org/plugins/bruteguard/
Botnet Attack Blocker
Botnet Attack Blocker takes a different approach to protect WordPress sites from brute-force attackers and cybercriminals. From a plugin developer’s perspective, IP address and location blocking alone are insufficient to keep bots out.
For example, by using 1,000 computers to simultaneously input login credentials and allowing 5 login attempts per device before locking, an attacker could test up to 5,000 different passwords.
To circumvent this limitation, Botnet Attack Blocker essentially ignores IP address variations. After detecting five unsuccessful attempts within a specific timeframe (default setting), it blocks all administrator login attempts.
However, the plugin’s operation may cause issues. After a total of five consecutive failed attempts, Bonet Attack Blocker blocks all administrator login attempts from different IP addresses. Consequently, this may mistakenly block many users who have no intention of compromising the site.
Advantages
- Allows partial IP addresses
- Adds a key to bypass locking
Disadvantages
- Prone to mistakenly blocking legitimate users
- No updates for 3 years
Download link:https://wordpress.org/plugins/botnet-attack-blocker/
Which plugin should you use?
After introducing these 9 plugins that enhance WordPress login security, you might be wondering: Which one should I install?
In reality, each plugin offers login protection. You simply need to research which one’s features best meet your specific security needs.