Summer Sale Discount 15% Off · Use Code SUMMER at Checkout
WordPress Brute Force Protection Plugins to Keep Client Sites Safe

WordPress Brute Force Protection Plugins to Keep Client Sites Safe

Last Updated May 15, 2023

White Label Logo This post is brought to you by White Label for WordPress. Customize the WordPress admin and make life easier for you and your clients.

WordPress has a fairly poor security reputation. A lot of it is, quite frankly, unjustified but there are some ways in which WordPress is inherently hard to secure. One of the most common ways in which a WordPress site is vulnerable is via brute force attacks. In a brute force attack, a malicious user tries to access a WordPress site with repeated login attempts. The goal is that they will eventually hit the right combination of username and password to gain admin access. Developers have come up with a lot of plugins to help combat these attacks. Today, we are going to look at some of the most popular WordPress brute force protection plugins out there.


Popular WordPress Brute Force Protection Plugins

The WordPress brute force protection plugins we will discuss today are all available for download from WordPress.org. You can also, if you prefer, install and activate these plugins from the WordPress admin directly.

We have summarized each of these plugins’ features to give you a better idea of what they have to offer. We even discuss what any paid, or premium, versions have in terms of extra features and capabilities.

Our goal, by the end of this post, is that you will find the right plugin to help your client sites remain safe from brute force attacks.

Limit Login Attempts Reloaded

Limit Login Attempts Reloaded

Limit Login Attempts Reloaded is the first WordPress brute force protection plugin we will be discussing. This plugin halts brute force attacks by limiting how many login attempts are possible through the regular login page or through XMLRPC, WooCommerce, or any custom login pages.

IP addresses and usernames are blocked from making more attempts once they’ve exceeded the set amount of retries. This helps stop brute force attacks as usually WordPress allows unlimited login attempts by default. The lockout timings are configurable, and the user can be informed about the number of retries they have left. An alert can also be included to let users know the time they are locked out for.

Email notifications about blocked attempts are sent to site admins. Blocked attempts are logged inside of the admin as well. Finally, you may add a safe list or a block list of certain IPs and usernames for your site to filter through for greater control.

Plugin Details

This plugin was first released by its owner in August of 2016. It is now on version 2.26.11 and last underwent a change on June 22nd, 2024. The newest edition runs on WordPress 6.5.5. This plugin is currently running on over 2,000,000 WordPress websites. It has had over 57,906,670 downloads. There have been 7 help requests with a 29% response rate. Limit Login Attempts Reloaded has below average support from its developer. Reviews for Limit Login Attempts Reloaded are very positive. Many of the users who left an evaluation found this plugin to be great.

Security Issues and Vulnerabilities

There have been 2 recorded security or vulnerability issues with Limit Login Attempts Reloaded. All of those security problems have been fixed. Here are the details:

DateDescriptionFixed?
12/14/20Login Rate Limiting Bypass
This was a high concern issue that was fixed in version 2.17.3.
Yes
12/14/20Reflected Cross-Site Scripting
This was a medium concern issue that was fixed in version 2.15.2.
Yes

Premium Version

Limit Login Attempts Reloaded has a paid and premium cloud app that includes more features to ensure the safety of your site. It optimizes your site as brute force attacks are absorbed in the cloud with up to 100k requests monthly. It provides throttling which elongates the lockout intervals every time someone attempts to log in unsuccessfully. All data is backed up and the plugin makes sure legitimate IPs are allowed automatically.

There are synchronized lockouts, having the lockouts happen at the same time across several domains, and the safe list and block list are synchronized as well. The lockout logs are enhanced and a CSV download of IP data may be downloaded. You can easily unlock any locked admins, and premium support is prompt, having your questions answered within 24 hours.

SiteGuard

SiteGuard

SiteGuard is a plugin that instantly improves the security of your WordPress site. It specializes in brute force login attacks. The plugin takes charge of protection and offers management capabilities to further customize how you would like your site secured. You can add a CAPTCHA to your login page to hinder attacks or even receive less spam.

The plugin also lets admins set a defined number of attempts to log in. If the limit is reached, the user will be locked out for a certain time. Unauthorized logins are checked as well by sending an email to the account user.

A “Fail Once” option may also be implemented. This feature forces the first login to fail no matter if it was right or wrong. Then the user must enter the correct password again within a minute to go through. 

Plugin Details

This plugin was initially released by its owner in October of 2014. It is currently on version 1.7.7 and last underwent a change on July 17th, 2024. The most recent edition runs on WordPress 6.6. This plugin is currently operating on over 500,000 WordPress sites. It has had over 4,216,810 downloads. There have not been many assistance requests from end-users. Reviews for SiteGuard WP Plugin are very positive. Many of the end-users who left a piece of feedback found this plugin to be great.

Protection Against DDoS

Protection Against DDoS is a WordPress brute force protection plugin that helps fix any performance issues that may be caused by attacks against a site. This is important because the nature of these attacks usually makes servers run out of memory.

The plugin denies access to common targetable features such as XML-RPC and RSS feed pages. For CloudFlare users, you have the choice to allow or deny access to anyone from certain countries. Bogus requests won’t even reach your site as checks are done through the .htaccess file. So malicious users are bounced at the web server level. You may choose where they get bounced to as well. This plugin is compatible with multisite, as an added bonus

Plugin Details

This product was initially released by its developer in July of 2016. It is now on version 1.5.2 and last underwent a change on April 29th, 2020. The most recent edition runs on WordPress 5.4.16. This plugin is now running on over 4,000 WordPress websites. It has had over 46,290 downloads. There have not been many help requests from users. Reviews for Protection Against DDoS are very positive. Many of the end-users who left an evaluation found this plugin to be worthwhile.

Limit Login Attempts

Limit Login Attempts

Limit Login Attempts provides several security features to keep your website safe from brute force attacks. The plugin can limit how many times a user can log in. It also provides the ability to block certain IP addresses after an amount of failed login attempts. The plugin uses Google’s reCAPTCHA for spam protection, renames the login URL, and blocks registrations from fake users.

Incoming requests from an IP to the website are monitored and alerts are sent to admins when unusual activities are present. WordPress files are protected as well with the option for you to prevent users from browsing directory content and editing files from the WordPress admin.

The plugin also contains more advanced features, such as blocking people based on IP range, country, browser, referer, and hostname. Your site is protected from DOS attacks as well by slowing down attackers with delayed responses to their requests and blocking them later.

Plugin Details

This product was initially published by its creator in June of 2016. It is presently on version 5.0.2 and last saw a revision on December 1st, 2022. The newest release runs on WordPress 6.1.5 and requires at least PHP 5.3 to function on your server. This plugin is now operating on over 2,000 WordPress sites. It has had over 96,150 downloads. There have not been many assistance requests from end-users. WordPress users are positive and think highly of this product.

Security Issues and Vulnerabilities

There have been 2 recorded security or vulnerability issues with Limit Login Attempts. All of those security problems have been fixed. Here are the details:

DateDescriptionFixed?
6/6/22Administrator+ Cross-Site Scripting
This was a medium concern issue that was fixed in version 4.0.71.
Yes
8/23/21Stored Cross-Site Scripting
This was a medium concern issue that was fixed in version 4.0.50.
Yes

Botnet Attack Blocker

Botnet Attack Blocker is the last WordPress brute force protection plugin we’ll be detailing. This plugin helps defend your website and accounts from brute force attacks by bots. It does this by limiting total log-in attempts, locking down when appropriate, and setting comprehensive standards.

Besides visitors that are whitelisted, any failed login attempt by any username or IP is tracked. Once locked down, no one can log in apart from those whitelisted or with a secret key. The number of log-in failures may be specified as well as the time between failed attempts that are counted. It’s up to you to decide long a lockdown can last and you pick the secret key as well.

The lockout message can be customized if you need to do so. Botnet Attack Blocker includes partial IP address matching for dynamically allocated IP addresses. It is compatible with multisite and has translations for English, French, German, Italian, and Russian.

Plugin Details

This plugin was initially released by its creator in April of 2013. It is now on version 2.0.0 and last saw an update on May 12th, 2017. The newest update works on WordPress 4.7.29. This plugin is actively working on over 400 WordPress sites. It has had over 24,530 downloads. There have not been many help requests from end-users. Reviews for Botnet Attack Blocker are very positive. Many of the customers who left a piece of feedback found Botnet Attack Blocker to be excellent.

Find the Best WordPress Brute Force Protection Plugin

That’s the end of our look at WordPress brute force protection plugins. There are a lot of options and the choices can be overwhelming. We suggest giving several plugins a try. While the features of these options overlap, the implementation and finer details vary from plugin-to-plugin. Trying more than one is the best way to make sure you end up with the proper solution.

Brute force attacks are not going away and neither is WordPress and its large install base. It’s the perfect target for malicious individuals to attack. By installing a good protection plugin, you can help keep your client sites safe from harm.


Looking for More Ways to Improve WordPress?

Are you here to find a way to protect your client sites from brute force attacks? Before you go, you might want to check out our White Label WordPress plugin as well.

White Label was designed to let WordPress developers and agencies take the rough edges off of the WordPress admin. Our plugin lets you rebrand, recolor, customize, and modify the WordPress experience for your clients.

Create a new login page, change the admin color scheme, build your own dashboard elements, edit menus, and much more. Check out the list of White Label features to find out how the plugin can make life easier for you and your clients.


Related Posts from Our WordPress Blog

WordPress Staff List Plugins to Showcase Employees

Every corporate website needs an employee directory. Check out our list of WordPress staff listing plugins to make this task quick and easy.

The Best WordPress Testimonial Slider Plugins for Your Site

You can use a WordPress testimonial slider plugin for you site to quickly and easily include customer reviews on your business website.