Best Brute Force Protection Plugins For WordPress

WordPress is the world’s largest blogging platform. That also places it in the position to be the most attacked Content Management System. You can never know when the malicious mind will hack your site. Because you may at any time be a victim of Brute Force attack it is important that you should keep your site safe and secure with a WordPress Brute Force Protection Plugin.

Brute Force attack is one of the scariest thing for any website owner. Especially when your site is running on WordPress, it becomes a pool of opportunities for wrongdoers. Therefore, it becomes the primary need of a developer to keep this list of best WordPress Brute Force Protection Plugins within reach. The Brute Force Protection Plugin for WordPress is great help you to protect your WordPress website or Lock out bad guys.

Weak passwords are one of the major loopholes that lead to website hacking. And that is where you need an extra layer of protection for your site from hackers.

In this post, we have a list of the best WordPress Brute Force protection Plugins for you. But before we move on to look at the recommended plugins, let us briefly provide an understanding of brute force attack.

Read related posts:

4 Things That Will Make Your Website Unhackable

Best WordPress Plugins for Every Website

How A Plugin Installation Can Crash Your Wordpress Website

10 Ways You Can Build Online Trust and Reputation

What is a Brute Force Attack?

Brute force attack is a hit and trial method used to decode login credentials of a website. The hackers use an automated software that tries repetitive consecutive attempts to gain access to a website or a server. And the software keeps trying the unique combinations until it gets in.

So, there are chances that your website can be hacked. With massive speed and recursive actions, attackers might get successful guessing your username and password. That being said, enforcing an additional layer of security is required to deflect any breach attempts.

WordPress has become a widely used platform and as mentioned in the opening paragragh, is the most popular CMS used today due mainly to its flexibility and the availability of a number of plugins. According to BuiltWith and W3Techs WordPress Powers around 31 percent of all websites on the internet. Now that the internet is flooded with the WordPress website so it is required to take Brute Force protection measures to keep them safe and secure.

Now, we can proceed to look at the some of the best WordPress Brute Force Protection Plugins you will need  to give you complete protection against brute force attack.

Best WordPress Brute Force Protection Plugins

  1. Loginizer
  2. Login LockDown
  3. Limit Login Attempts Reloaded
  4. WP Limit Login Attempts
  5. Brute Force Login Protection
  6. Limit Attempts
  7. Limit Login Attempts
  8. WPS Limit Login
  9. BruteGuard

1. Loginizer

Loginizer is one of the best open source and free brute force login protection plugin for WordPress. And Loginizer has enormous 700,000+ active installs. It is filled with many effective features to protect your site from any malicious attack.


    • 700,000+ active installs for Loginizer.
    • It aids you to Whitelist or Blacklist users as per their involvement to your site.
    • It uses reCAPTCHA, two-factor authentication, Passwordless logins etc. so that site data’s authentication can be maintained.
    • Like all other, it also blocks the IP after specific login attempts.


2. Login LockDown

Login LockDown protects your site from the brute force attack by recording the IP address and the timestamp of every failed login attempt. It has over lacks of active installs.


  • Login LockDown keeps the record for the number of login attempts in a certain time span.
  • Login LockDown has 200,000+ active installs.
  • A user will be locked out for 1 hour after user specified number of failed logins attempts.
  • Login LockDown is an open source brute force protection plugin for WordPress.


3. Limit Login Attempts Reloaded

Limit Login Attempts Reloaded simply restrain the login attempts via normal login and via authentic cookies. To stop brute force attack Limit Login Attempts Reloaded plugin uses the technique so that an unauthentic user can get the site’s access.


  • This Limit Login Attempts Reloaded plugin gives you the opportunity to set a definite number of login attempts for a specific IP address. So that no one can hack your information.
  • It follows the GDPR guidelines.
  • Over 200,000 active installs.
  • You can easily Whitelist or Blacklist IPs and Usernames.
  • WooCommerce login page safety is also there.


4. WP Limit Login Attempts

WP Limit Login Attempts is another powerful WordPress brute force protection plugin. to prevent brute force attack. This plugin has 40,000+ active installs and the 4.6 overall ratings.


  • WP Limit Login Attempts, detect bots by Captcha verification.
  • This is a really lightweight and it doesn’t put the load on the site.
  • It strictly follows the GDPR guidelines.
  • WP Limit Login Attempts is an open source.
  • Thousands of happy customers.


5. Brute Force Login Protection

Brute Force Login Protection is a lightweight that helps to provide protection against brute force attacks. Like most others it uses the .htaccess file to help you secure your site from brute force attacks.


  • Brute Force Login Protection restrain the number of login attempts.
  • It gives you the opportunity to block or unblock the IP addresses.
  • Option to Whitelist and Blacklist users.
  • In case of failed login attempts, it can delays the next login attempt in order to throttle the attempting bots.
  • It has over 20,000 active users.

6. Limits Attempts by BestWebSoft

Limits Attempts by BestWebSoft is the amazing plugin which protects the site from brute force attacks and spam. It is compatible with the latest version of WordPress.


  • This plugin will automatically block the IP addresses that try to log in and exceeds the number of login attempts.
  • Manually marking IPs into WhiteList and Blacklist is allowed.
  • You can hide information from the blocked IPs such as login, register.
  • You can show any customized Captcha error message to a blocked user and an invalid attempt.
  • Multilingual support.


7. Limit Login Attempts

Limit Login Attempts is another popular brute force protection plugin for WordPress to guard your site against malicious activities. And the primary objective of this plugin is to provide shelter from brute force attacks.


  • Limit Login Attempts keep track of login attempts and if a bot failed to login in specified time with specified login attempts, then it blocks the IP.
  • It uses Google reCAPTCHA to give spam security.
  • You will see remaining login attempts on the Login page once you entered wrong login details. This is because if you’re a genuine user and have mistakenly entered your login credentials wrong, then you can correct them in your next attempt. And if it is a bot then surely it will be blocked in few tries.
  • It will do Inactive User Logout. That means if a user is not doing anything on the page for a specific time span then it will perform automatic logout.


8. WPS Limit Login

WPS Limit Login is a full-featured brute force login protection plugin for WordPress. By default, WordPress allows to have unlimited login attempts and this makes brute force attack somewhat easy. And there comes WPS Limit Login to rescue your site.


  • WPS Limit Login restrict the number of retry attempts when trying to log in from a particular IP. you can easily customize the number of attempts you want to allow.
  • It provides you multisite compatibility with some additional settings.
  • Security for the WooCommerce login page as well.
  • You can create a Whitelist and a Blacklist for your site.
  • It also confines the number of attempts to use cookies.


9.  BruteGuard – Brute Force Login Protection

BruteGuard – Brute Force Login Protection is a cloud-based brute force protection plugin for WordPress which provides security against botnet attacks.

  • BruteGuard – Brute Force Login Protection plugin for WordPress guard the site from the illegal access via bots.
  • Hundreds of active installs.
  • If it finds any malicious activity, then it immediately blocks the IP across the complete network.

Best WordPress Brute Force Protection Plugins Compared (2018)

Plugins Active Installs Required Wordress Version Tested Up To Ratings
Loginizer 700,000+ 3.0 4.9.8 4.8/5
Login LockDown 200,000+ 3.0 4.9.8 4.6/5
Limit Login Attempts Reloaded 100,000+ 3.0 4.9.8 4.6/5
WP Limit Login Attempts 40,000+ 3.0 4.9.8 4.6/5
Brute Force Login Protection 20,000+ 2.7.0 4.8.7 4.3/5
Limits Attempts by Best Web Soft 10,000+ 3.9 4.9.8 4.6/5
Limit Login Attempts 5,000+ 2.0.2 4..9.8 3.7/5
WPS Limit Login 2,000+ 4.2 4.9.8 5/5
BruteGuard – Brute Force Login Protection 100+ 4.4 4.9.8 5/5


So, Which Brute Force Protection Plugin for WordPress do you choose?

Now that you have gotten the list of Best WordPress Brute Force Protection Plugins, it is time you decide which one you will use for your site. Before you taken a final decision and act on it, remember that haste leads to waste, so we recommend or we would suggest that you take some time to analyze the above-mentioned brute force plugins, and choose wisely as per your needs. They are all good and a combination of one or two can be a perfect decision but do not rush into it. Make a smart choice that serves your needs.

Remember that attackers always look for weak passwords, and the vulnerable sites running outdated versions of WordPress/plugins, so it is highly recommended to keep your sites updated and have a WordPress Brute Force Protection plugin for WordPress.


Additional Tips for Complete WordPress Security

1. Use Complicated Passwords

There are some precautions that you must take while creating passwords

  • Don’t ever use your or website name as the password
  • Don’t use only numeric words or just the alphabets
  • Never use your phone, vehicle number or house address
  • Most importantly never use dictionary words or combinations of dictionary words

What to remember while choosing Passwords

  • Use a mixture of Numeric and alphabets
  • Use both Lower and capital-case alphabets
  • The passwords must include symbols like $,@,%
  • Password must be lengthy at least 8 words. The longer the password, the better for you

Tip for making effective passwords

Yes, a password must be long and the combination of alpha-numeric words. The best way is to construct a sentence then pick the words from it. Here look at the example “I played badminton with my friend’s at 7:00 pm. We bought rackets in $80.

So the passwords look like “Ipbwmf7:p.Wbri$80“. As you can see the password is complicated and easy to remember. It is just for example sack, you can make more complex passcode but creating a sentence could help you remember the long password.

2. Secure Your Admin Area

Building a strong wall around the admin area is an excellent way to add security layer. You can choose specific IP’s using which you can access to the panel. So if someone is not able to access the admin area then how he/she can try to enter into your WordPress site’s dashboard? In this way, you add a specified IP address in the .htaccess file.

Suppose you add the IP address of your home internet connection in the .htaccess file then you can only manage your site by using your that internet connection. So no one can access the site backend settings due to different IP address we defined in the .htaccess file. You can find your IP address using WhatIsMyIP website. Here note that you need a static IP address from your internet provider. So contact them and get and static IP.

  • Now login to your hosting control panel and then click on the “File Manager”.
  • Find the .htaccess in the WordPress installation directory and Edit it.
  • Add the below codes and paste your IP address in place of the
<Files wp-login.php>
order deny,allow
Deny from all
Allow from

Now if you want to access from your office PC, then you need to add the IP address of that connection (Office internet). Just add the line Allow from with that new IP below the old one.

This method works great when using a certain internet connection. If you access from the public wifi connection, then this method is not useful.

3. Two-Factor Authentication

This feature enables the major security layer. Google provides it for its services like Gmail account. With activating two-factor authentication on Gmail account whenever you want to login to your account, it requires phone verification. For enabling such kind of service on WordPress, you need to install a plugin. Two Factor Authentication (Google Authenticator), Clef and Google Authenticator are some of the best plugins for two-factor authentication.

Let’s just discuss the Google Authenticator – Two Factor Authentication which is developed by MiniOrange. After activating the plugin click MiniOrange at the sidebar of the WordPress and Register an account.

There are plenty of options available such as email verification, Google Authenticator, QR code scanning and Push Notification, etc. The plugin also includes SMS and Call verification features. But these are premium features and cost $6/year which is quite affordable.

4. WordPress Security Plugins

After installing the WordPress, it should be your top priority to install the best WordPress Security Plugin. There are plenty of plugins, but we suggest install Sucuri, iThemes or Wordfence. These three are the well-reputed plugins and includes many useful features for free. Sucuri provides malware scan, Login alerts, secret keys status and many other security layers.

On the other hand, iThemes is also an excellent security plugin. It will provide protection against Brute force attacks, specific IP’s, update the secret keys, Database backup and much more. We always use iThemes Security as it is easy to operate and understand.

Moreover, the developers release various updates to fix bugs and security holes time to time to improve WordPress security.

5. Change Login URL

If you don’t want to use the protocol which allows login only from specific IP’s that we discuss at number 2, then changing login URL is effective to secure the WordPress site. People use different internet connections, so that’s mean different IP’s. In this type of situation adding multiple IP’s in .htaccess is not wise.

There are various ways to change the login URL. You change the login URL by just installing a simple plugin. In iThemes security plugin, there is an option named as “Hide Backend” to modify the login URL. There are some other plugins like Rename wp-login.php, WPS Hide Login which also can be used to change the backend login address.

6. Pick Well-Reputed Plugins

Plugins can also become the cause to inject vulnerabilities in your blog. So before installing a plugin check its rating as well as the number of downloads. Higher the number of downloads means the plugin is fine and works perfectly. For example, if there are three plugins by different developers to change the login URL, then you should prefer that plugin with more active installs, frequent updates, and user reviews.

Additionally, when you click on the plugin title a box will open where you can see that how many people rated that plugin as 5 stars or below. And if you want to be overprotected, then look at the other people reviews to know their experience.

7. Secure WordPress Themes/Plugins

Some novice bloggers use cracked themes as they have a limited budget. Do not ever use cracked themes either plugins.


Before Installing a Crack theme, You Must Know:

  • No support is available in case of an issue
  • The developer release updates frequently to cover up the bugs in the theme. But in a crack version, there are no updates, so a big advantage for the hackers to sneak in.
  • Chances are the person who cracked the theme could insert some vulnerable codes in it.

WordPress offer tons of free templates for websites and blog. Yes, these free templates are not fully customizable, but we think there is enough customization for a new blog. But remember that these free templates are far better than the crack versions. Moreover, these are backed by the and get latest updates.

8. Never Use “admin” as Username

If you are using admin as your username, then we think this is the biggest mistake. In cyber-attacks like Brute Force the priority of the hackers to use the default name admin as it is most common.

Some new bloggers think that just keep a strong password is enough, but this is not a good practice. Your WordPress dashboard should not only have a strong password but also a unique user name (i.e., other than common words).

You can change the username either from control panel provided by the hosting provider (cPanel) or by using a plugin like Username Changer. Here you can read the article about how to Change the username with and without installing a plugin.

9. Assign Appropriate Roles

If you are the only person who manages and operates the site, then that’s fine. But if you have a team, i.e., multiple users then you have to assign a particular role to each user. Giving everyone the administrative rights may compromise your WordPress site security. There are different roles like Subscriber, Administrative, Contributor, Author, and Editor, etc. Each role has certain limitations except the Administrator.

At the sidebar of the WordPress dashboard go to Users> All Users. Here you can add the new users as well as assign them roles. You must assign roles carefully especially when you outsource the users.

If you want more information regarding assigning roles, then you may read this article at

10. WordPress Security Keys

This security layer is to protect the user cookies, so that makes it difficult for hackers to crack the password. So what are the cookies? Explaining simply, cookies are small pieces of data/information which stored via a web browser on the user computer. Yes, hackers can break in through cookies. So you have to take steps and to make the encryption of that information.

For this, use WordPress Secret Key Generator. These keys change whenever you refresh the page. So make sure to pick your unique, fresh combination and copy all the keys, i.e., all the lines. Now you need to add these keys in wp-config.php

How to use WordPress Secret Key Generator to Improve Security

  • Login to your Hosting control panel (cPanel)
  • Open the file manager and get into WordPress installation directory (the exact place where the folders like wp-admin, wp-content and wp-includes are.
  • Find the file named as wp-config.php and edit it.
  • Scroll down until you found the following terms

wp-config secret keys

  • Now Paste all the keys which you copy from the Secret Key Generator in place of the old ones. That’s all.

11. Limit Login Attempts

As the name shows, this method put restrictions on the number of attempts for logging in the dashboard. After activating it, there are certain login attempts, and if someone put wrong username or passwords, then it will block that IP for a given period. This way of securing WordPress website is very effective against the Brute Force Attacks. In this type of hacking attack, the bots or program or whatever the thing is, it tries different combinations to enter into the site.

During Automatic installation of WordPress via setup wizard it will ask you if you want to enable the Limit login attempts. If you did not enable the option from there, then don’t worry just install “WP Limit Login Attempts plugin”.

12. Security Checker

Through scanning your site, you can find out the security risks. Sucuri Security Scanner is a free tool to locate the security risks. It will check your website for SPAM, Malware, Blacklisting, and firewall, etc. and provide the recommendations. So keep an eye on it and scan your site frequently.

Along the Sucuri scanner also put your site address in the Google Safe Browsing and it will generate the report that if your site has malicious contents or not?

Some other Best Website Scanners:

13. CloudFlare and SSL

CloudFlare not only improves the performance of your site but also strengthen the WordPress security. They offer free as well as premium plans. At free plan, you can enable DDOS protection and some other security layers.

They also offer SSL certificate for free. SSL implant the additional security layer to your site. The SSL is used to protect the customer’s data like credit card numbers etc. But Now the search engine especially Google consider those sites more secure which are using SSL and give a little boost in search rankings.

14. Create Routine Backups

It is advisable to create the backups frequently. Many best web hosting providers include backup services in their plans without any extra fee. But at the basic plans mostly company impose some kind of constraints on the number of backups and restoration. We always prefer to make a backup by using more than one tools. So you should create a backup through the tool provided by the hosting provider as well as using third party plugin.

VaultPress, BackupBuddy, and Updraftplus are some of the great backup plugins for creating the WordPress site backup. Unfortunately, VaultPress and BackupBuddy did not offer any free service. But Updraftplus offer free and premium services to create whole site’s backup, so that’s great for people having no or low budget. With this plugin, you can also assign schedule that after when to create backups and how many copies of each backup to retain?

15. Secure Web Hosting

Along all the above factors choosing a secure hosting is also very imperative for WordPress sites security. Before buying a hosting account check the company security protocols on their websites. Moreover, in the case of any uncertainty chat with them via Live Chat. In a shared hosting there are multiple users use the same server resources and in case if an account got hacked then chances are other users will also infected.

Secure Hosting Features:

  • Firewall Application
  • Pre-installed RAID
  • Malicious detecting
  • Using the latest programs like PHP etc.
  • SPAM prevention system
  • Daily Backups

WordPress Security Compromised, Now What to Do – How to FIX?

Above security precautions make your WordPress site’s security tougher. But also keep in mind the plan B that if someone breaks in then What to do? First of all, don’t panic and stay calm because you can get back your site back as it was before hacking. Again the above mention precautions are enough to build a strong layer around your WP website.

Is My Site Hacked?

Here are the main indicators to figure out that you have been hacked.

  • Google search result page shows a message like “This Site may be hacked”.
  • Google enlist your site as blacklisted. Sucuri Security Scanner shows blacklist status.
  • The web browser like Google Chrome shows an Alert message to the visitors.
  • The Hosting provider may disable your account.
  • Google Search Console send you an alert message
  • The security scanner shows an alert message that’s why we suggest you scan your site frequently to remain up-to-date about the site security status

Fixing Hacked WordPress Website

  • Change Passwords and Username

After the hacking attack find out if you still have access to the WordPress dashboard. If yes then immediately change the password and username. Also, change the web hosting account login details. Now choose the strongest and powerful password. Use Strong Passwords.

  • Change WordPress Secret Keys

It is the best time to change the secret keys or WordPress Salts. Whenever you change the secret keys, this will log out all the users. Note this is not going to change the passwords it will just log out. Changing these keys might cause the interruption in hacking.

  • Contact your Hosting Provider

Contact your hosting provider’s customer support for help. That’s why it is imperative to check how fast and friendly their support team is. The company has the experts to deals such kind of situations. They not only get you out from this but also helps to retrieve your site. Even some companies maintain a separate line to contact them in case suffering any cyber-attack.

A good hosting provider will always respond to overcome this difficult situation. There are more chances that an affected account may affect the others in shared WordPress hosting. Therefore company not only assist you but also provides the guidelines about the security holes.

  • Restore Backup

Restoring a backup to a safe position when it wasn’t hacked can also get your site out of it. If you made changes and publish the posts daily, then you should also backup your site on a daily basis. If you made a backup on weekly or after more time span then restoring the backup resulting the data loss. So restore to that safe extent where the loss is minimum.

Moreover if possible, then we think you should take the backup creation in your hands. At the end of the day scan your website via above-mentioned scanners and then make a backup manually. We know this add’s more work but this habit saves a lot when you suffer a hacking attack or option for daily backup creation service like VaultPress.

  • Scan for Plugins and Theme

You can also remove the malicious material by deleting the unnecessary themes and plugins. After that scans all the themes and plugins. Use Sucuri or Exploit Scanner to find the suspicious items. These plugins, scan database, comments, and plugins, etc. and then allow you to take necessary actions.

Additionally, you have to scan the themes separately as there are more chances that the hacker put the hack in these.

We suggest you if possible delete the plugins and themes then install the fresh copy. Yes, this act will remove all changes that you made, but it also helps you to make sure that all things are fine.

  • Keep an Eye on the Other Users

You should also take all the users into your consideration especially if you hire some online. It is advisable to keep all the administrative rights in your hands. If you find someone suspicious that have the hands in the hack, then don’t waste time and delete him/her.

Comments (0)

Leave a comment

Powered by Simple Blog