WordPress.org

Plugin Reviews

Limit Login Attempts

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

145616

160 reviews
Average Rating
4.7 out of 5 stars
Still works fine..
By , for WP 4.0

I already upgrade my wordpress to 4.0 and it's still work fine.. thx to johanee

extremely useful!
By , for WP 4.0

This plugin saved me from 4800+ false logins in the last 48 hours. I only wish I could download the log file so I could add those IP's to my blacklist.

Mysteriously Broken
By , for WP 4.0

Even though this plugin is no longer under development, it is still being recommended. Unfortunately, I have found some problems with it, and there appear to be at least 2 work-arounds that the script kiddies have found to defect the protection offered by this plugin. I would warn folks NOT to rely on this plugin -- here is an example of a fairly big security hole. Here are two emails I got from limit login attempts yesterday:

WordPress 2:59 AM (16 hours ago)
to me
4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
Last user attempted: [my admin account name]
IP was blocked for 72 hours

WordPress 10:45 AM (8 hours ago)
to me
4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
Last user attempted: [my admin account name]
IP was blocked for 72 hours

If you look carefully, you will see that the IP was *NOT* blocked after two lockout for the 72 hours that I had set up when I installed it.

I also discovered that using xmlrpc.php appear to circumvent limit login attempts, so I added this to my .htaccess file:

<Files xmlrpc.php>
Order Deny,Allow
Deny from All
Allow from [my IP address]
</Files>

That apparently wasn't enough, so I added this:

order allow,deny
deny from 104.194.25.
allow from all

I suspect this is a temporary solution, since the script-kiddies have learned how to spoof IP addresses at will.

This plugin gives only a false sense of security in the escalating battle with the blackhats, and the obvious flaws in the plugin lead me to consider it not worth my trust, and leads me to warn others away from it.

Right now, I don't have enough understanding of how things work with WP to go in an try to fix these problems (if they are actually fixable on this level, which is not a forgone conclusion), so I'm still looking for a better approach.

I have installed Ninja WP Firewall, which cut the brute-force attacks *way* down, but did not eliminate them (from over 1000/day, enough to may the site unusable, to fewer than 5 a week). Since there are a few brute-force attacks are still getting through, I predict that whoever discovered the work-around will be selling it to the script-kiddies soon, rendering Ninja WP Firewall essentially useless -- but at least it is still under active development.

Even though I don't expect brute-forcing my very long, randomly-generated password to succeed, 1) the attacks are a damned nuisance, and 2) I am fearful that there may be other security holes I currently don't know about.

There are a few sites on which I am the only person with a login, and I use .htaccess to whitelist my IP. For now, that works pretty well. Next thing to try is to password-protect the wp-admin directory of the sites with more than one user. That will make things less convenient for me as well as the other users, but less so than having to clean up a hacked site.

Must Have!
By , for WP 3.9.1

I think it's a really important plugin.
Be safe.

great plugin
By , for WP 4.0

also works with version 4.0, thanks

Impossible to log in from admin
By ,

After installation, i wasn't not able to connect to admin.

Works very well
By , for WP 3.9.1

I am using it on my french blog. It works very well. You can see the result here: [site link removed]. I also use Register Plus Redux to custome stuff on we login/register page.

Great little plugin!
By , for WP 3.9.1

I am AMAZED every day to see how many hackers try to break into my site every day. Once you install this plugin and realize how important it is... you will be so glad that you've made the choice.

I've written a review of the plugin here: Limit Login Attempts Plugin Review

Great
By , for WP 3.9.1

You really can see the number of attackers who try to login to your website. I had on idea it was this bad!

Awesome
By , for WP 3.8

This plugin work fine

You must log in to submit a review. You can also log in or register using the form near the top of this page.