WordPress Brute Force Protection Plugins to Keep Client Sites Safe
Last Updated May 15, 2023
WordPress has a fairly poor security reputation. A lot of it is, quite frankly, unjustified but there are some ways in which WordPress is inherently hard to secure. One of the most common ways in which a WordPress site is vulnerable is via brute force attacks. In a brute force attack, a malicious user tries to access a WordPress site with repeated login attempts. The goal is that they will eventually hit the right combination of username and password to gain admin access. Developers have come up with a lot of plugins to help combat these attacks. Today, we are going to look at some of the most popular WordPress brute force protection plugins out there.
Popular WordPress Brute Force Protection Plugins
The WordPress brute force protection plugins we will discuss today are all available for download from WordPress.org. You can also, if you prefer, install and activate these plugins from the WordPress admin directly.
We have summarized each of these plugins’ features to give you a better idea of what they have to offer. We even discuss what any paid, or premium, versions have in terms of extra features and capabilities.
Our goal, by the end of this post, is that you will find the right plugin to help your client sites remain safe from brute force attacks.
Limit Login Attempts Reloaded
Limit Login Attempts Reloaded is the first WordPress brute force protection plugin we will be discussing. This plugin halts brute force attacks by limiting how many login attempts are possible through the regular login page or through XMLRPC, WooCommerce, or any custom login pages.
IP addresses and usernames are blocked from making more attempts once they’ve exceeded the set amount of retries. This helps stop brute force attacks as usually WordPress allows unlimited login attempts by default. The lockout timings are configurable, and the user can be informed about the number of retries they have left. An alert can also be included to let users know the time they are locked out for.
Email notifications about blocked attempts are sent to site admins. Blocked attempts are logged inside of the admin as well. Finally, you may add a safe list or a block list of certain IPs and usernames for your site to filter through for greater control.
Plugin Details
This piece of software was initially published by its owner in August of 2016. It is actively on version 2.26.16 and last experienced a revision on November 5th, 2024. The newest edition operates on WordPress 6.7.1. This plugin is currently working on over 2,000,000 WordPress websites. It has had over 63,712,350 downloads. There have been 8 help requests with a 50% response rate. Limit Login Attempts Reloaded has below average support from its owner. Reviews for this plugin are very positive. Many of the end-users who left an evaluation found this plugin to be excellent.
Security Issues and Vulnerabilities
There have been 2 recorded security or vulnerability issues with Limit Login Attempts Reloaded. All of those security problems have been fixed. Here are the details:
Date | Description | Fixed? |
---|---|---|
12/14/20 | Login Rate Limiting Bypass This was a high concern issue that was fixed in version 2.17.3. | Yes |
12/14/20 | Reflected Cross-Site Scripting This was a medium concern issue that was fixed in version 2.15.2. | Yes |
Limit Login Attempts Reloaded has a paid and premium cloud app that includes more features to ensure the safety of your site. It optimizes your site as brute force attacks are absorbed in the cloud with up to 100k requests monthly. It provides throttling which elongates the lockout intervals every time someone attempts to log in unsuccessfully. All data is backed up and the plugin makes sure legitimate IPs are allowed automatically.
There are synchronized lockouts, having the lockouts happen at the same time across several domains, and the safe list and block list are synchronized as well. The lockout logs are enhanced and a CSV download of IP data may be downloaded. You can easily unlock any locked admins, and premium support is prompt, having your questions answered within 24 hours.
SiteGuard
SiteGuard is a plugin that instantly improves the security of your WordPress site. It specializes in brute force login attacks. The plugin takes charge of protection and offers management capabilities to further customize how you would like your site secured. You can add a CAPTCHA to your login page to hinder attacks or even receive less spam.
The plugin also lets admins set a defined number of attempts to log in. If the limit is reached, the user will be locked out for a certain time. Unauthorized logins are checked as well by sending an email to the account user.
A “Fail Once” option may also be implemented. This feature forces the first login to fail no matter if it was right or wrong. Then the user must enter the correct password again within a minute to go through.
Plugin Details
This plugin was first published by its creator in October of 2014. It is presently on version 1.7.8 and last saw a revision on November 12th, 2024. The newest release operates on WordPress 6.7.1. This plugin is presently working on over 500,000 WordPress websites. It has had over 4,606,390 downloads. There have not been many help requests from customers. Reviews for SiteGuard WP Plugin are very positive. Many of the end-users who left an evaluation found SiteGuard WP Plugin to be great.
Protection Against DDoS
Protection Against DDoS is a WordPress brute force protection plugin that helps fix any performance issues that may be caused by attacks against a site. This is important because the nature of these attacks usually makes servers run out of memory.
The plugin denies access to common targetable features such as XML-RPC and RSS feed pages. For CloudFlare users, you have the choice to allow or deny access to anyone from certain countries. Bogus requests won’t even reach your site as checks are done through the .htaccess file. So malicious users are bounced at the web server level. You may choose where they get bounced to as well. This plugin is compatible with multisite, as an added bonus
Plugin Details
This plugin was initially released by its creator in July of 2016. It is currently on version 1.5.2 and last had an update on April 29th, 2020. The newest update works on WordPress 5.4.16. This plugin is presently working on over 3,000 WordPress websites. It has had over 47,020 downloads. There have not been many assistance requests from customers. Reviews for this plugin are very positive. Many of the users who left a piece of feedback found Protection Against DDoS to be excellent.
Limit Login Attempts
Limit Login Attempts provides several security features to keep your website safe from brute force attacks. The plugin can limit how many times a user can log in. It also provides the ability to block certain IP addresses after an amount of failed login attempts. The plugin uses Google’s reCAPTCHA for spam protection, renames the login URL, and blocks registrations from fake users.
Incoming requests from an IP to the website are monitored and alerts are sent to admins when unusual activities are present. WordPress files are protected as well with the option for you to prevent users from browsing directory content and editing files from the WordPress admin.
The plugin also contains more advanced features, such as blocking people based on IP range, country, browser, referer, and hostname. Your site is protected from DOS attacks as well by slowing down attackers with delayed responses to their requests and blocking them later.
Plugin Details
This product was originally published by its creator in June of 2016. It is currently on version 5.0.2 and last experienced a change on December 1st, 2022. The most recent version works on WordPress 6.1.5 and requires at least PHP 5.3 to function on your server. This plugin is presently running on over 2,000 WordPress websites. It has had over 96,150 downloads. There have not been many help requests from end-users. WordPress users are positive and think highly of this product.
Security Issues and Vulnerabilities
There have been 2 recorded security or vulnerability issues with Limit Login Attempts. All of those security problems have been fixed. Here are the details:
Date | Description | Fixed? |
---|---|---|
6/6/22 | Administrator+ Cross-Site Scripting This was a medium concern issue that was fixed in version 4.0.71. | Yes |
8/23/21 | Stored Cross-Site Scripting This was a medium concern issue that was fixed in version 4.0.50. | Yes |
Botnet Attack Blocker
Botnet Attack Blocker is the last WordPress brute force protection plugin we’ll be detailing. This plugin helps defend your website and accounts from brute force attacks by bots. It does this by limiting total log-in attempts, locking down when appropriate, and setting comprehensive standards.
Besides visitors that are whitelisted, any failed login attempt by any username or IP is tracked. Once locked down, no one can log in apart from those whitelisted or with a secret key. The number of log-in failures may be specified as well as the time between failed attempts that are counted. It’s up to you to decide long a lockdown can last and you pick the secret key as well.
The lockout message can be customized if you need to do so. Botnet Attack Blocker includes partial IP address matching for dynamically allocated IP addresses. It is compatible with multisite and has translations for English, French, German, Italian, and Russian.
Plugin Details
This plugin was first published by its creator in April of 2013. It is actively on version 2.0.0 and last experienced an update on May 12th, 2017. The latest release operates on WordPress 4.7.29. This plugin is currently functioning on over 400 WordPress websites. It has had over 24,740 downloads. There have not been many assistance requests from users. Reviews for Botnet Attack Blocker are very positive. Many of the customers who left a piece of feedback found Botnet Attack Blocker to be wonderful.
Find the Best WordPress Brute Force Protection Plugin
That’s the end of our look at WordPress brute force protection plugins. There are a lot of options and the choices can be overwhelming. We suggest giving several plugins a try. While the features of these options overlap, the implementation and finer details vary from plugin-to-plugin. Trying more than one is the best way to make sure you end up with the proper solution.
Brute force attacks are not going away and neither is WordPress and its large install base. It’s the perfect target for malicious individuals to attack. By installing a good protection plugin, you can help keep your client sites safe from harm.
Looking for More Ways to Improve WordPress?
Are you here to find a way to protect your client sites from brute force attacks? Before you go, you might want to check out our White Label WordPress plugin as well.
White Label was designed to let WordPress developers and agencies take the rough edges off of the WordPress admin. Our plugin lets you rebrand, recolor, customize, and modify the WordPress experience for your clients.
Create a new login page, change the admin color scheme, build your own dashboard elements, edit menus, and much more. Check out the list of White Label features to find out how the plugin can make life easier for you and your clients.