WordPress.org

Plugin Reviews

Limit Login Attempts

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

8 reviews
Average Rating
4.7 out of 5 stars
You are currently viewing the reviews that provided a rating of 1 star. Click here to see all reviews.
keeps me (admin) logout
By , for WP 4.5.2

i have SocialChef theme.
i installed the plugin, activated it.
i return to my home page, and say that it did throw me out (logged me out automatically)
that's a normal behavior for a security plugin (after activation, cut all the connections)
(1)but when i enter my username/password
it wont let me back in!
even my subscribers cant log in!
ok! this is one problem.
------
(2)whenever a user, enters his/her user/pass wrong (more than 3-4times [ i set it in the options how many times] ), everyyyyyone will be logged out automatically!! :|
even admin.
for example u have 4 users: A, B, C, D
user A = admin
user B = author
user C = subscriber
user D = subscriber
user D enters his/her user and pass wrong, 5 times.
every 4 members will be logged out! :|
-------
(3)
i use custom login page, which this plugin is not compatible with.
-------
(4)
when you get banned from getting log in, there would be no msg for you too see and warn you! U are banned!! try again to login in 15 minutes!
no warning msgs! :|

Stopped working
By , for WP 4.4.1

I could see it was working for the first week through the Simple History plugin.

However, it stopped limiting logins to 4 attempts and I'm seeing up to 10,000 again now.

It's not to do with updates though as I haven't had time to do that yet.

Garbage
By ,

This plugin is garbage, it kicked me off wp-admin and said "ERROR: Too many failed login attempts. Please try again in 20 minutes.". I was logged in and just activated the plugin...

Not working on my multisite
By ,

Activated it Network-Wide then went to test it by entering a password wrong repeatedly.
After 3 attempts (out of my 4) it kept saying for all subsequent trials: 1 attempt remaining.

Although it did lock met out, but it failed to report the lockout.

Mysteriously Broken
By , for WP 4.0

Even though this plugin is no longer under development, it is still being recommended. Unfortunately, I have found some problems with it, and there appear to be at least 2 work-arounds that the script kiddies have found to defect the protection offered by this plugin. I would warn folks NOT to rely on this plugin -- here is an example of a fairly big security hole. Here are two emails I got from limit login attempts yesterday:

WordPress 2:59 AM (16 hours ago)
to me
4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
Last user attempted: [my admin account name]
IP was blocked for 72 hours

WordPress 10:45 AM (8 hours ago)
to me
4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
Last user attempted: [my admin account name]
IP was blocked for 72 hours

If you look carefully, you will see that the IP was *NOT* blocked after two lockout for the 72 hours that I had set up when I installed it.

I also discovered that using xmlrpc.php appear to circumvent limit login attempts, so I added this to my .htaccess file:

<Files xmlrpc.php>
Order Deny,Allow
Deny from All
Allow from [my IP address]
</Files>

That apparently wasn't enough, so I added this:

order allow,deny
deny from 104.194.25.
allow from all

I suspect this is a temporary solution, since the script-kiddies have learned how to spoof IP addresses at will.

This plugin gives only a false sense of security in the escalating battle with the blackhats, and the obvious flaws in the plugin lead me to consider it not worth my trust, and leads me to warn others away from it.

Right now, I don't have enough understanding of how things work with WP to go in an try to fix these problems (if they are actually fixable on this level, which is not a forgone conclusion), so I'm still looking for a better approach.

I have installed Ninja WP Firewall, which cut the brute-force attacks *way* down, but did not eliminate them (from over 1000/day, enough to may the site unusable, to fewer than 5 a week). Since there are a few brute-force attacks are still getting through, I predict that whoever discovered the work-around will be selling it to the script-kiddies soon, rendering Ninja WP Firewall essentially useless -- but at least it is still under active development.

Even though I don't expect brute-forcing my very long, randomly-generated password to succeed, 1) the attacks are a damned nuisance, and 2) I am fearful that there may be other security holes I currently don't know about.

There are a few sites on which I am the only person with a login, and I use .htaccess to whitelist my IP. For now, that works pretty well. Next thing to try is to password-protect the wp-admin directory of the sites with more than one user. That will make things less convenient for me as well as the other users, but less so than having to clean up a hacked site.

Impossible to log in from admin
By ,

After installation, i wasn't not able to connect to admin.

No Longer Under Active Development
By ,

The plugin is unfortunately no longer under active development. It was a very useful plugin while still under active development. Thanks a lot to the developer!

Broken
By , for WP 3.9.1

WTF? Unable to login as admin to my site after changing password. A quick view of comments in the support tab indicates that several users have experienced this issue for past 3 months, yet the developer has done nothing to remedy the problem.

You must log in to submit a review. You can also log in or register using the form near the top of this page.