Limit Login Attempts
Limit Login Attempts (PRO) slows down password-guessing bots by locking out repeated failed logins for increasing cool-off periods - simple protection for your sign-in form.
What it does
Section titled “What it does”- Counts failed logins inside a rolling observation window, then locks out the scope.
- Lockout mode: IP address only or IP address + username.
- Base lockout duration plus escalated duration after repeated lockouts.
- Applies across login, and also considers XML-RPC / REST / application-password failure paths where hooked.
- Login Attempts log screen with clear action; optional country lookup via ipwho.is.
- Never block IP addresses allowlist and optional real-IP header for proxies.
- Optional generic login errors that hide remaining-attempt counts.
When to use it
Section titled “When to use it”Enable it if:
- The login form is hit by credential-stuffing or brute-force bots.
- You want temporary lockouts without a full WAF.
- You need a reviewable log of failed attempts.
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”- Failed logins before block (default 3)
- Observation window (minutes) (default 60)
- Lockout mode - IP address only / IP address + username
- Lockout duration (minutes) (default 15)
- Escalation threshold and Escalated lockout (minutes) (default 30)
- Log retention (days) (default 30)
- Never block IP addresses
- Real IP header
- Look up country for logged IPs
- Use generic login errors
- Link to View logs
How to enable it
Section titled “How to enable it”- Go to WP PowerSuite -> Modules -> Security.
- Toggle Limit Login Attempts on (PRO license required).
- Add your office IP to Never block IP addresses, configure thresholds, save.
- Open Login Attempts logs from the settings link or WP PowerSuite menu as needed.
How to test it
Section titled “How to test it”- Lower Failed logins before block to 2 on staging, then fail login twice from a non-allowlisted IP.
- ✅ Pass: lockout message appears and further logins are blocked until the timer ends.
- ✅ Pass: an entry appears in Login Attempts logs.
- ❌ Fail: confirm license, module enabled, and your IP is not on the never-block list.
Troubleshooting
Section titled “Troubleshooting”- Locked yourself out. Another admin can clear lockouts from logs, or add your IP to the allowlist via WP-CLI/database.
- Lockouts never trigger behind Cloudflare. Leave real IP blank for CF-Connecting-IP auto use, or set a trusted header for other proxies.
- Users see remaining attempt counts. Enable Use generic login errors.
What does Limit Login Attempts do?
It temporarily locks out repeated failed logins by IP or IP plus username, and can log those attempts.
Is Limit Login Attempts free?
No. It is a PRO module and requires an active license.
Where are the logs?
Open View logs from the module settings, or use the Login Attempts screen under WP PowerSuite.
Can I prevent my office IP from being locked?
Yes. Add it under Never block IP addresses (one IPv4 or IPv6 address per line).
How do I turn Limit Login Attempts off?
Go to WP PowerSuite -> Modules, find Limit Login Attempts, and toggle it off.
Developer notes (hooks & filters)
Source: modules/limit-login-attempts/module.php.
Boot: standard · context: admin, frontend, ajax, rest.
Hooks: wp_login_failed, authenticate, wp_authenticate_user, login_errors, rest_authentication_errors, application_password_failed_authentication, XML-RPC abort when locked, cron prune.