Limit Login Attempts

What is Limit Login Attempts?

Limit Login Attempts is a focused security plugin that stops brute-force attacks on your WordPress login page. It blocks an IP address after a set number of failed login retries. Developed by Automattic, the company behind WordPress.com, it has a 17-year track record. It currently has over 300,000 active installs and a 4.6 out of 5 star rating from 202 reviews. This long history and high adoption rate make it a trusted baseline for login protection.

The plugin works on both standard login forms and the auth cookie system. By default, WordPress allows unlimited login attempts. This plugin changes that by enforcing retry limits. It makes brute-force password cracking nearly impossible. Over 84% of its 202 ratings are five stars, reflecting strong user satisfaction. Only 6% of ratings are one star, which is a low rate for a security plugin.

Key Features of Limit Login Attempts

• Configurable Retry Limits — Set the exact number of failed login attempts allowed per IP address before a block is triggered.
• Auth Cookie Protection — Limits the number of attempts made using authentication cookies, closing a common bypass vector.
• User Feedback on Lockout — Displays remaining retries or the lockout time directly on the login page for legitimate users.
• Optional Logging & Email Alerts — Log all failed attempts and receive email notifications when a lockout occurs.
• Reverse Proxy Support — Correctly identifies the real client IP when your site runs behind a caching or load-balancing server.
• IP Whitelist Filter — A developer-friendly filter (limit_login_whitelist_ip) allows specific IPs to bypass blocks while still logging their activity.
• 17 Language Translations — Fully localized into Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, and Turkish.
• Standard Hooks Only — Uses only standard WordPress actions and filters, ensuring compatibility with most themes and plugins.

Who Should Use Limit Login Attempts?

This plugin is ideal for site owners who want simple, set-and-forget security. It suits beginners because it works immediately after activation with default settings. It also fits experienced users who want to customize retry limits or whitelist specific IPs via code. With 300,000+ active installs, it is already trusted on a wide range of sites—from personal blogs to small business websites.

It is a good choice for anyone who has seen brute-force attempts in their server logs. The plugin requires no technical knowledge to block most attacks. Its 17-year age means it has been tested against many WordPress versions. The tested compatibility goes up to WordPress 6.2.9. If you manage a site with user registrations, this plugin helps protect every account equally.

Installation & Setup

Installation is standard: download, extract to the wp-content/plugins directory, and activate through the WordPress admin. The plugin works immediately with sensible defaults. For most users, no additional setup is needed. The only notable step is checking the reverse proxy setting if your site uses a caching or load-balancing server. The plugin provides a helpful guess on the settings page to guide this decision.

Support & Community

The plugin's support forum shows a mixed picture. Over the last two months, there are 0 open threads and 0 resolved threads, giving a 0% resolution rate. This suggests either very few reported issues or that support responses are not tracked in the forum. With 300,000+ installs and a 4.6 rating, most users likely do not need support. The 6% one-star ratings may partly reflect frustration when users lock themselves out during testing. The FAQ addresses this directly with a clear solution: wait or manually edit the plugin files. The plugin's long maturity means its documentation and FAQ cover most common problems thoroughly.