This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.



BruteProtect is no longer supported or under active development

In August of 2014, BruteProtect became a part of the Automattic family, and our technology has been integrated into Jetpack. Please upgrade to Jetpack to continue using BruteProtect.



Is Jetpack good?

So good. You won’t regret it.


Read all 65 reviews

Contributors & Developers

“BruteProtect” is open source software. The following people have contributed to this plugin.


Translate “BruteProtect” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • No more new API keys.


  • Fix error in 2.4.1, fix transients in multisite to not autoload


  • Fix potential circumvention method (Props Ruben van Vreeland –


  • Improve casting in API calls
  • Add 403 status to blocked logins (props neoxx)
  • Adding announcement for new Jetpack features
  • Remove the ability to link your site to
  • Announcing the closing of services as of February 2015


  • Patch brute_check_preauth so that Google Apps login will work (props jay-s)


  • Remove shoutouts


  • Fix false downtime notifications


  • Add ability for users to turn off monitoring
  • Improve IP detection
  • Added noncing on admin pages


  • Minor updates admin config, removed secure login


  • Fixed URL typo (props koke)


  • Fix potential warning if current user isn’t set (props migueluy)


  • Add in filters for private IPs (props tellyworth)


  • The future is bright


  • Replaced placeholder with dynamic data


  • Reformatted all plugin code to meet WP style standards
  • Added icons for WP 4.0 Plugin Browser
  • Removed secure login option
  • Changed link to my. mechanism from username/pass to key


  • BruteProtect dashboard gets a makeover
  • Fixed some broken links
  • Fixed the way that beta versions of WP report that they need updating

  • Fix minor issue with secure login

  • Fix minor issue with secure login


  • Change the hook used for our backstop check to ensure complete effectiveness
  • Improve secure login redirect

  • Fixing a glitch that deactivated the Secure Login feature
  • Improving the urls in the Secure Login feature


  • Improve the way site urls are saved
  • Improve how we determine if a site is linked to


  • Fix minor bug in multisite admin


  • Support for sites where WordPress is installed in a sub folder
  • More readable UI
  • Fixed bugs that where causing PHP errors


  • Now you can opt out of the Secure Login feature from the login page
  • Secure Login is automatically disabled if you are connecting to your site via SSL already


  • Add color options for the front end widget
  • Add a site disconneciton button
  • Improve plugin deactivation
  • Bug fixes in the back end widget


  • Minor fixes to the api calls


  • Use strval on subdirectory url


  • Add in core update
  • Minor bug fixes
  • Track subdirectory urls


  • Redesign everything
  • Add My BruteProtect
  • Add remote secure login
  • Add remote monitoring
  • Add remote plugin monitoring and updating
  • This update includes over 2,000 man hours of programming and design work, and countless sleepless nights. Thank you to Rocco, Jesse, Stephen, Jeff, Derek and Ryan, and to our incredibly patient significant others. We really hope that everyone loves what we’ve done.


  • Make the security auditing messaging less offensive
  • Add in better text around the text requiring users to get a unique API key for each site


  • Fix offline blocked attempt counter
  • Add one-click-clef back in
  • Add information about Pro
  • Add information about our security auditing

  • Allow for graceful fallback if filter_var isn’t available
  • Corrected CloudFlare header


  • Updated API key process to make it even easier (API key is auto-added)
  • Updated Math CAPTCHA error handling to help teach people about login form best practices
  • Updated IP retrieval function to ensure as few false readings as possible


  • Bug fix to the API Endpoint


  • Update API Endpoints


  • Minor bug fixes


  • Continued code improvements
  • Improve troubleshooting options
  • Improve methodology for fetching remote IP… using X_FORWARDED_FOR and HTTP_CLIENT_IP if available
  • Add options for privacy
  • Update icon for 3.8
  • Update interface

  • Remove 1-click clef until we figure out the bug.

  • File got corrupted when uploading to the plugin repository. All better now


  • Bite the bullet and say 1.0
  • Code stabilization and optimization
  • Performance improvements


  • More backwards compatibility

  • Squash a bug which caused an error in older versions of PHP

  • Integrate Clef install
  • Add debug information for hosts, improve copy for sites with broken install

  • Remove left over debug code

  • Fix error with server identification and errors in older versions of PHP
  • Version Codename: I really don’t want to say 1.0

  • Fix error with cached blocks

  • page-now fallback fix

  • Fix bug on local environments

  • Major code rewrite! Every line of code was reviewed, optimized, and made prettier. It can be prettier, though, and we’re going to keep working on that
  • Blocked users from obtaining a key on a local environment
  • Laid groundwork for Clef Integration


  • Add in the ability to whitelist IPs or IP blocks
  • Improve wp-login.php performance via $pagenow — thanks Mark Barnes!

  • Don’t ever block localhost

  • Fixed typo

  • Expired transients now get cleaned up– thanks KirkM, Tevya, David Anderson, and Seebz!

  • Fixed a few PHP parsing notices, thanks Till and clwill!

  • Added hooks: brute_log_failed_attempt and brute_kill_login — both are passed the offending IP address

  • Remove unused code from upcoming functionality.

  • Admin can now prevent other users from seeing BruteProtect statistics
  • Fixed a typo in the admin panel


  • Added a fallback for failed multisite blog count reporting
  • Added the ability to hide BruteProtect stats from network blog dashboards

  • Fixed a minor display issue in

  • Fixed a minor display issue in 0.9.7


  • BruteProtect now supports multisite networks! One key will protect every site in your network, and will always be free for small networks!
  • Fixed API URI logic so that we fall back to non-https if your server doesn’t support SSL
  • Fixed admin config page image (thanks, flick!)
  • Added index.php to prevent directory contents from being displayed (thanks, flick!)


  • Admin-side updates for better compatibility and readability — Thanks again, Michael Cain!


  • Changed API server to HTTPS for increased security
  • Improved domain check method even further
  • Added a “Settings” link to the Plugins page
  • Made things prettier


  • Changed domain check method to reduce API key errors


  • Added hooks in for upcoming remote security and uptime scans


  • Fixed error if Login Lockdown was installed
  • Improve admin styling (thanks Michael Cain!)
  • Added statistics to your dashboard
  • If the API server goes down, we fall back to a math-based human verification