WordPress Brute Force Protection Plugins to Keep Client Sites Safe
Last Updated May 15, 2023
This post is brought to you by White Label for WordPress. Customize the WordPress admin and make life easier for you and your clients.
WordPress has a fairly poor security reputation. A lot of it is, quite frankly, unjustified but there are some ways in which WordPress is inherently hard to secure. One of the most common ways in which a WordPress site is vulnerable is via brute force attacks. In a brute force attack, a malicious user tries to access a WordPress site with repeated login attempts. The goal is that they will eventually hit the right combination of username and password to gain admin access. Developers have come up with a lot of plugins to help combat these attacks. Today, we are going to look at some of the most popular WordPress brute force protection plugins out there.
Popular WordPress Brute Force Protection Plugins
The WordPress brute force protection plugins we will discuss today are all available for download from WordPress.org. You can also, if you prefer, install and activate these plugins from the WordPress admin directly.
We have summarized each of these plugins’ features to give you a better idea of what they have to offer. We even discuss what any paid, or premium, versions have in terms of extra features and capabilities.
Our goal, by the end of this post, is that you will find the right plugin to help your client sites remain safe from brute force attacks.
Limit Login Attempts Reloaded
Limit Login Attempts Reloaded is the first WordPress brute force protection plugin we will be discussing. This plugin halts brute force attacks by limiting how many login attempts are possible through the regular login page or through XMLRPC, WooCommerce, or any custom login pages.
IP addresses and usernames are blocked from making more attempts once they’ve exceeded the set amount of retries. This helps stop brute force attacks as usually WordPress allows unlimited login attempts by default. The lockout timings are configurable, and the user can be informed about the number of retries they have left. An alert can also be included to let users know the time they are locked out for.
Email notifications about blocked attempts are sent to site admins. Blocked attempts are logged inside of the admin as well. Finally, you may add a safe list or a block list of certain IPs and usernames for your site to filter through for greater control.
Plugin Details
This plugin was originally released by its creator in August of 2016. It is currently on version 2.26.8 and last experienced a revision on April 11th, 2024. The newest release works on WordPress 6.5.2. This plugin is presently working on over 2,000,000 WordPress websites. It has had over 54,255,560 downloads. There have been 7 support requests with a 57% response rate. Limit Login Attempts Reloaded has below average support from its owner. Reviews for this plugin are very positive. Many of the end-users who left a piece of feedback found this plugin to be great.
Security Issues and Vulnerabilities
There have been 2 recorded security or vulnerability issues with Limit Login Attempts Reloaded. All of those security problems have been fixed. Here are the details:
| Date | Description | Fixed? |
|---|---|---|
| 12/14/20 | Login Rate Limiting Bypass This was a high concern issue that was fixed in version 2.17.3. | Yes |
| 12/14/20 | Reflected Cross-Site Scripting This was a medium concern issue that was fixed in version 2.15.2. | Yes |
Limit Login Attempts Reloaded has a paid and premium cloud app that includes more features to ensure the safety of your site. It optimizes your site as brute force attacks are absorbed in the cloud with up to 100k requests monthly. It provides throttling which elongates the lockout intervals every time someone attempts to log in unsuccessfully. All data is backed up and the plugin makes sure legitimate IPs are allowed automatically.
There are synchronized lockouts, having the lockouts happen at the same time across several domains, and the safe list and block list are synchronized as well. The lockout logs are enhanced and a CSV download of IP data may be downloaded. You can easily unlock any locked admins, and premium support is prompt, having your questions answered within 24 hours.
SiteGuard
SiteGuard is a plugin that instantly improves the security of your WordPress site. It specializes in brute force login attacks. The plugin takes charge of protection and offers management capabilities to further customize how you would like your site secured. You can add a CAPTCHA to your login page to hinder attacks or even receive less spam.
The plugin also lets admins set a defined number of attempts to log in. If the limit is reached, the user will be locked out for a certain time. Unauthorized logins are checked as well by sending an email to the account user.
A “Fail Once” option may also be implemented. This feature forces the first login to fail no matter if it was right or wrong. Then the user must enter the correct password again within a minute to go through.
Plugin Details
This piece of software was first published by its owner in October of 2014. It is now on version 1.7.6 and last underwent an update on March 26th, 2024. The latest update operates on WordPress 6.5.2. This plugin is presently working on over 500,000 WordPress websites. It has had over 3,924,490 downloads. There have not been many help requests from users. Reviews for this plugin are very positive. Many of the customers who left a review found SiteGuard WP Plugin to be excellent.
Protection Against DDoS
Protection Against DDoS is a WordPress brute force protection plugin that helps fix any performance issues that may be caused by attacks against a site. This is important because the nature of these attacks usually makes servers run out of memory.
The plugin denies access to common targetable features such as XML-RPC and RSS feed pages. For CloudFlare users, you have the choice to allow or deny access to anyone from certain countries. Bogus requests won’t even reach your site as checks are done through the .htaccess file. So malicious users are bounced at the web server level. You may choose where they get bounced to as well. This plugin is compatible with multisite, as an added bonus
Plugin Details
This piece of software was originally published by its creator in July of 2016. It is actively on version 1.5.2 and last underwent an update on April 29th, 2020. The most recent update operates on WordPress 5.4.15. This plugin is presently running on over 4,000 WordPress websites. It has had over 46,050 downloads. There have not been many help requests from users. Reviews for Protection Against DDoS are very positive. Many of the users who left an evaluation found this plugin to be wonderful.
Limit Login Attempts
Limit Login Attempts provides several security features to keep your website safe from brute force attacks. The plugin can limit how many times a user can log in. It also provides the ability to block certain IP addresses after an amount of failed login attempts. The plugin uses Google’s reCAPTCHA for spam protection, renames the login URL, and blocks registrations from fake users.
Incoming requests from an IP to the website are monitored and alerts are sent to admins when unusual activities are present. WordPress files are protected as well with the option for you to prevent users from browsing directory content and editing files from the WordPress admin.
The plugin also contains more advanced features, such as blocking people based on IP range, country, browser, referer, and hostname. Your site is protected from DOS attacks as well by slowing down attackers with delayed responses to their requests and blocking them later.
Plugin Details
This product was initially published by its creator in June of 2016. It is presently on version 5.0.2 and last experienced a revision on December 1st, 2022. The most recent version runs on WordPress 6.1.5 and requires at least PHP 5.3 to run on your server. This plugin is presently working on over 2,000 WordPress websites. It has had over 96,150 downloads. There have not been many help requests from customers. WordPress users are positive and think highly of this plugin.
Security Issues and Vulnerabilities
There have been 2 recorded security or vulnerability issues with Limit Login Attempts. All of those security problems have been fixed. Here are the details:
| Date | Description | Fixed? |
|---|---|---|
| 6/6/22 | Administrator+ Cross-Site Scripting This was a medium concern issue that was fixed in version 4.0.71. | Yes |
| 8/23/21 | Stored Cross-Site Scripting This was a medium concern issue that was fixed in version 4.0.50. | Yes |
Botnet Attack Blocker
Botnet Attack Blocker is the last WordPress brute force protection plugin we’ll be detailing. This plugin helps defend your website and accounts from brute force attacks by bots. It does this by limiting total log-in attempts, locking down when appropriate, and setting comprehensive standards.
Besides visitors that are whitelisted, any failed login attempt by any username or IP is tracked. Once locked down, no one can log in apart from those whitelisted or with a secret key. The number of log-in failures may be specified as well as the time between failed attempts that are counted. It’s up to you to decide long a lockdown can last and you pick the secret key as well.
The lockout message can be customized if you need to do so. Botnet Attack Blocker includes partial IP address matching for dynamically allocated IP addresses. It is compatible with multisite and has translations for English, French, German, Italian, and Russian.
Plugin Details
This piece of software was initially published by its developer in April of 2013. It is actively on version 2.0.0 and last saw a change on May 12th, 2017. The latest release runs on WordPress 4.7.28. This plugin is actively functioning on over 400 WordPress sites. It has had over 24,500 downloads. There have not been many support requests from users. Reviews for this plugin are very positive. Many of the users who left a piece of feedback found this plugin to be great.
Find the Best WordPress Brute Force Protection Plugin
That’s the end of our look at WordPress brute force protection plugins. There are a lot of options and the choices can be overwhelming. We suggest giving several plugins a try. While the features of these options overlap, the implementation and finer details vary from plugin-to-plugin. Trying more than one is the best way to make sure you end up with the proper solution.
Brute force attacks are not going away and neither is WordPress and its large install base. It’s the perfect target for malicious individuals to attack. By installing a good protection plugin, you can help keep your client sites safe from harm.
Looking for More Ways to Improve WordPress?
Are you here to find a way to protect your client sites from brute force attacks? Before you go, you might want to check out our White Label WordPress plugin as well.
White Label was designed to let WordPress developers and agencies take the rough edges off of the WordPress admin. Our plugin lets you rebrand, recolor, customize, and modify the WordPress experience for your clients.
Create a new login page, change the admin color scheme, build your own dashboard elements, edit menus, and much more. Check out the list of White Label features to find out how the plugin can make life easier for you and your clients.
Related Posts from Our WordPress Blog
Building an events site from scratch can be difficult. One of the WordPress RSVP plugins in our list is sure to make things easier for you.
Adding crowdfunding capabilities doesn’t have to be difficult. Check out our list of the best WordPress crowdfunding plugins to make it easy.