Title: Limit Login Attempts Author: Automattic Published: 15 Am Faoilleach 2009 Last modified: 4 An Giblean 2023 --- Search plugins This plugin **hasn’t been tested with the latest 3 major releases of WordPress**. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress. ![](https://s.w.org/plugins/geopattern-icon/limit-login-attempts.svg) # Limit Login Attempts By [Automattic](https://profiles.wordpress.org/automattic/) [Download](https://downloads.wordpress.org/plugin/limit-login-attempts.1.7.2.zip) * [Details](https://gd.wordpress.org/plugins/limit-login-attempts/#description) * [Reviews](https://gd.wordpress.org/plugins/limit-login-attempts/#reviews) * [Installation](https://gd.wordpress.org/plugins/limit-login-attempts/#installation) * [Development](https://gd.wordpress.org/plugins/limit-login-attempts/#developers) [Support](https://wordpress.org/support/plugin/limit-login-attempts/) ## Description Limit the number of login attempts possible both through normal login as well as using auth cookies. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible. Features * Limit the number of retry attempts when logging in (for each IP). Fully customizable * Limit the number of attempts to log in using auth cookies in same way * Informs user about remaining retries or lockout time on login page * Optional logging, optional email notification * Handles server behind reverse proxy * It is possible to whitelist IPs using a filter. But you probably shouldn’t. 🙂 Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish Plugin uses standard actions and filters only. ## Screenshots * [[ * Loginscreen after failed login with retries remaining * [[ * Loginscreen during lockout * [[ * Administration interface in WordPress 3.0.4 ## Installation 1. Download and extract plugin files to a wp-content/plugin directory. 2. Activate the plugin through the WordPress admin interface. 3. Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting. If you have any questions or problems please make a post here: https://wordpress. org/tags/limit-login-attempts ## FAQ ### Why not reset failed attempts on a successful login? This is very much by design. Otherwise you could brute force the “admin” password by logging in as your own user every 4th attempt. ### What is this option about site connection and reverse proxy? A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated. The option default to NOT being behind a proxy — which should be by far the common case. ### How do I know if my site is behind a reverse proxy? You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better. ### Can I whitelist my IP so I don’t get locked out? First please consider if you really need this. Generally speaking it is not a good idea to have exceptions to your security policies. That said, there is now a filter which allows you to do it: “limit_login_whitelist_ip”. Example: function my_ip_whitelist($allow, $ip) { return ($ip ==’my-ip’) ? true : $allow; } add_filter(‘limit_login_whitelist_ip’,’my_ip_whitelist’, 10, 2); Note that we still do notification and logging as usual. This is meant to allow you to be aware of any suspicious activity from whitelisted IPs. ### I locked myself out testing this thing, what do I do? Either wait, or: If you know how to edit / add to PHP files you can use the IP whitelist functionality described above. You should then use the “Restore Lockouts” button on the plugin settings page and remove the whitelist function again. If you have ftp / ssh access to the site rename the file “wp-content/plugins/limit- login-attempts/limit-login-attempts.php” to deactivate the plugin. If you have access to the database (for example through phpMyAdmin) you can clear the limit_login_lockouts option in the wordpress options table. In a default setup this would work: “UPDATE wp_options SET option_value = ” WHERE option_name = ‘limit_login_lockouts’” ## Reviews ![](https://secure.gravatar.com/avatar/d08e43f8994bc4b95b69b942d5b51d74aca6c32a6bed082bb19c050d1d7b2c60? s=60&d=retro&r=g) ### 󠀁[Indispensable Plugin! Vital to the health of my site!](https://wordpress.org/support/topic/indispensable-plugin-vital-to-the-health-of-my-site/)󠁿 [wiitguru](https://profiles.wordpress.org/wiitguru/) 15 Am Màrt 2025 Thanks, Automattic!!!! This plugin has thwarted over 100 hacking attempts on my website in the last few months! I won’t operate without this plugin!!! ![](https://secure.gravatar.com/avatar/71e7db41f38c5424b6f62b5d09e5a5022ce6b32928a28b31a5a0cf11e06fce92? s=60&d=retro&r=g) ### 󠀁[Love this plugin](https://wordpress.org/support/topic/love-this-plugin-1220/)󠁿 [Guido](https://profiles.wordpress.org/guido07111975/) 3 An Dùbhlachd 2023 I absolutely hate bloated plugins, so I love this one. It’s simple and works as expected. Guess it’s wise to use a plugin such as this one, against brute force attacks. Guido ![](https://secure.gravatar.com/avatar/d18e1280fbabc3f79223b6d746f2bc610fefab360af9ab000c1e1a1842a2da46? s=60&d=retro&r=g) ### 󠀁[Exactly what is should be](https://wordpress.org/support/topic/exactly-what-is-should-be/)󠁿 [doreenhawdon](https://profiles.wordpress.org/doreenhawdon/) 1 An Dàmhair 2023 Does what it says on the tin. Like another similar plugin before it became bloatware. The only feature I would request is the ability to send notifications to another email address, I like to keep my admin email clean. ![](https://secure.gravatar.com/avatar/72d20e38966793032cc055e7e7563494b8f37cac5b26fc92fcd271bd57be5e28? s=60&d=retro&r=g) ### 󠀁[Getting a lot better.](https://wordpress.org/support/topic/god-awful-plugin/)󠁿 [brightvesseldev](https://profiles.wordpress.org/brightvesseldev/) 21 An Dàmhair 2021 We had initial issues and tried again and it is working better. ![](https://secure.gravatar.com/avatar/e459a53c8f2091f7045a2f03c5208bd6a1c0e6a5db0f970f7be3d0d58be77172? s=60&d=retro&r=g) ### 󠀁[Interesante](https://wordpress.org/support/topic/interesante-12/)󠁿 [inakijm](https://profiles.wordpress.org/inakijm/) 30 An Dùbhlachd 2020 Se lo pone más dicícil a los hackers que quieren acceder a tu blog ya que les limita el número de accesos. ![](https://secure.gravatar.com/avatar/3d495928e75e4fc20c5424c5f2b595a05c37a54d7b727ae50938e78c13e95970? s=60&d=retro&r=g) ### 󠀁[Not maintained but still works](https://wordpress.org/support/topic/not-maintained-but-still-works/)󠁿 [wroot](https://profiles.wordpress.org/wroot/) 29 An Giblean 2020 Would be good to get new versions and fix possible security issues (if any), but it seems to still work. [ Read all 202 reviews ](https://wordpress.org/support/plugin/limit-login-attempts/reviews/) ## Contributors & Developers “Limit Login Attempts” is open source software. The following people have contributed to this plugin. Contributors * [ Automattic ](https://profiles.wordpress.org/automattic/) * [ johanee ](https://profiles.wordpress.org/johanee/) “Limit Login Attempts” has been translated into 36 locales. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/limit-login-attempts/contributors) for their contributions. [Translate “Limit Login Attempts” into your language.](https://translate.wordpress.org/projects/wp-plugins/limit-login-attempts) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/limit-login-attempts/), check out the [SVN repository](https://plugins.svn.wordpress.org/limit-login-attempts/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/limit-login-attempts/) by [RSS](https://plugins.trac.wordpress.org/log/limit-login-attempts/?limit=100&mode=stop_on_copy&format=rss). ## Meta * Version **1.7.2** * Last updated **3 bliadhnaichean ago** * Active installations **300,000+** * WordPress version ** 2.8 or higher ** * Tested up to **6.2.9** * Languages * [Albanian](https://sq.wordpress.org/plugins/limit-login-attempts/), [Bulgarian](https://bg.wordpress.org/plugins/limit-login-attempts/), [Catalan](https://ca.wordpress.org/plugins/limit-login-attempts/), [Chinese (China)](https://cn.wordpress.org/plugins/limit-login-attempts/), [Chinese (Taiwan)](https://tw.wordpress.org/plugins/limit-login-attempts/), [Croatian](https://hr.wordpress.org/plugins/limit-login-attempts/), [Czech](https://cs.wordpress.org/plugins/limit-login-attempts/), [Danish](https://da.wordpress.org/plugins/limit-login-attempts/), [Dutch](https://nl.wordpress.org/plugins/limit-login-attempts/), [Dutch (Belgium)](https://nl-be.wordpress.org/plugins/limit-login-attempts/), [English (Australia)](https://en-au.wordpress.org/plugins/limit-login-attempts/), [English (Canada)](https://en-ca.wordpress.org/plugins/limit-login-attempts/), [English (New Zealand)](https://en-nz.wordpress.org/plugins/limit-login-attempts/), [English (UK)](https://en-gb.wordpress.org/plugins/limit-login-attempts/), [English (US)](https://wordpress.org/plugins/limit-login-attempts/), [Finnish](https://fi.wordpress.org/plugins/limit-login-attempts/), [French (Canada)](https://fr-ca.wordpress.org/plugins/limit-login-attempts/), [French (France)](https://fr.wordpress.org/plugins/limit-login-attempts/), [Galician](https://gl.wordpress.org/plugins/limit-login-attempts/), [German](https://de.wordpress.org/plugins/limit-login-attempts/), [Hebrew](https://he.wordpress.org/plugins/limit-login-attempts/), [Hungarian](https://hu.wordpress.org/plugins/limit-login-attempts/), [Italian](https://it.wordpress.org/plugins/limit-login-attempts/), [Japanese](https://ja.wordpress.org/plugins/limit-login-attempts/), [Lithuanian](https://lt.wordpress.org/plugins/limit-login-attempts/), [Norwegian (Bokmål)](https://nb.wordpress.org/plugins/limit-login-attempts/), [Polish](https://pl.wordpress.org/plugins/limit-login-attempts/), [Portuguese (Brazil)](https://br.wordpress.org/plugins/limit-login-attempts/), [Romanian](https://ro.wordpress.org/plugins/limit-login-attempts/), [Russian](https://ru.wordpress.org/plugins/limit-login-attempts/), [Slovak](https://sk.wordpress.org/plugins/limit-login-attempts/), [Spanish (Chile)](https://cl.wordpress.org/plugins/limit-login-attempts/), [Spanish (Spain)](https://es.wordpress.org/plugins/limit-login-attempts/), [Spanish (Venezuela)](https://ve.wordpress.org/plugins/limit-login-attempts/), [Swedish](https://sv.wordpress.org/plugins/limit-login-attempts/), [Turkish](https://tr.wordpress.org/plugins/limit-login-attempts/), and [Ukrainian](https://uk.wordpress.org/plugins/limit-login-attempts/). * [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/limit-login-attempts) * Tags * [authentication](https://gd.wordpress.org/plugins/tags/authentication/)[login](https://gd.wordpress.org/plugins/tags/login/) [security](https://gd.wordpress.org/plugins/tags/security/) * [Advanced View](https://gd.wordpress.org/plugins/limit-login-attempts/advanced/) ## Ratings 4.6 out of 5 stars. * [ 170 5-star reviews ](https://wordpress.org/support/plugin/limit-login-attempts/reviews/?filter=5) * [ 13 4-star reviews ](https://wordpress.org/support/plugin/limit-login-attempts/reviews/?filter=4) * [ 3 3-star reviews ](https://wordpress.org/support/plugin/limit-login-attempts/reviews/?filter=3) * [ 4 2-star reviews ](https://wordpress.org/support/plugin/limit-login-attempts/reviews/?filter=2) * [ 12 1-star reviews ](https://wordpress.org/support/plugin/limit-login-attempts/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/limit-login-attempts/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/limit-login-attempts/reviews/) ## Contributors * [ Automattic ](https://profiles.wordpress.org/automattic/) * [ johanee ](https://profiles.wordpress.org/johanee/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/limit-login-attempts/)