Limit Login Attempts
A WordPress plugin
Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lock out time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
You can always find the latest version to download here.
- Download and extract plugin files to a folder in your wp-content/plugin directory.
- Activate the plugin through the WordPress admin interface.
- Customize the settings from the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
Requires at least WordPress 2.8, tested up to WordPress 3.1-RC4.
- Loginscreen after failed login with retries remaining
- Loginscreen during lockout
- Administration interface in WordPress 2.7
- Why not reset failed attempts on a successful login?
This is very much by design. Otherwise you could brute force the “admin” password by logging in as your own user every 4th attempt.
- What is this option about site connection and reverse proxy?
A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.The option default to NOT being behind a proxy — which should be by far the common case.
- How do I know if my site is behind a reverse proxy?
You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better.
What do I do if I get a notice about it being unable to replace wp_get_current_user()?
Limit Login Attempts no longer replaces any pluggable functions.
- Why write a new plugin instead of using Login Lockdown?
When looking at it I was not satisfied with how Login Lockdown solved the technical issues.Then I also found a number of ways to improve things: handle auth cookies login, show users how many login attempts remained and for how long they are locked out. Have the option to notify the admin about lockdowns.