WordPress.org

Plugin Reviews

Limit Login Attempts

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

4 reviews
Average Rating
4.7 out of 5 stars
You are currently viewing the reviews that provided a rating of 1 star. Click here to see all reviews.
Mysteriously Broken
By , for WP 4.0

Even though this plugin is no longer under development, it is still being recommended. Unfortunately, I have found some problems with it, and there appear to be at least 2 work-arounds that the script kiddies have found to defect the protection offered by this plugin. I would warn folks NOT to rely on this plugin -- here is an example of a fairly big security hole. Here are two emails I got from limit login attempts yesterday:

WordPress 2:59 AM (16 hours ago)
to me
4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
Last user attempted: [my admin account name]
IP was blocked for 72 hours

WordPress 10:45 AM (8 hours ago)
to me
4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
Last user attempted: [my admin account name]
IP was blocked for 72 hours

If you look carefully, you will see that the IP was *NOT* blocked after two lockout for the 72 hours that I had set up when I installed it.

I also discovered that using xmlrpc.php appear to circumvent limit login attempts, so I added this to my .htaccess file:

<Files xmlrpc.php>
Order Deny,Allow
Deny from All
Allow from [my IP address]
</Files>

That apparently wasn't enough, so I added this:

order allow,deny
deny from 104.194.25.
allow from all

I suspect this is a temporary solution, since the script-kiddies have learned how to spoof IP addresses at will.

This plugin gives only a false sense of security in the escalating battle with the blackhats, and the obvious flaws in the plugin lead me to consider it not worth my trust, and leads me to warn others away from it.

Right now, I don't have enough understanding of how things work with WP to go in an try to fix these problems (if they are actually fixable on this level, which is not a forgone conclusion), so I'm still looking for a better approach.

I have installed Ninja WP Firewall, which cut the brute-force attacks *way* down, but did not eliminate them (from over 1000/day, enough to may the site unusable, to fewer than 5 a week). Since there are a few brute-force attacks are still getting through, I predict that whoever discovered the work-around will be selling it to the script-kiddies soon, rendering Ninja WP Firewall essentially useless -- but at least it is still under active development.

Even though I don't expect brute-forcing my very long, randomly-generated password to succeed, 1) the attacks are a damned nuisance, and 2) I am fearful that there may be other security holes I currently don't know about.

There are a few sites on which I am the only person with a login, and I use .htaccess to whitelist my IP. For now, that works pretty well. Next thing to try is to password-protect the wp-admin directory of the sites with more than one user. That will make things less convenient for me as well as the other users, but less so than having to clean up a hacked site.

Impossible to log in from admin
By ,

After installation, i wasn't not able to connect to admin.

No Longer Under Active Development
By ,

The plugin is unfortunately no longer under active development. It was a very useful plugin while still under active development. Thanks a lot to the developer!

Broken
By , for WP 3.9.1

WTF? Unable to login as admin to my site after changing password. A quick view of comments in the support tab indicates that several users have experienced this issue for past 3 months, yet the developer has done nothing to remedy the problem.

You must log in to submit a review. You can also log in or register using the form near the top of this page.