• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

ReviewsLion

Reviews of online services and software

  • Hosting
  • WordPress Themes
  • SEO Tools
  • Domains
  • Other Topics
    • WordPress Plugins
    • Server Tools
    • Developer Tools
    • Online Businesses
    • VPN
    • Content Delivery Networks

WordPress Brute Force Protection Plugins and Tools

Bruteforce attacks can be dangerous. They’re usually targeted at pages that have a form. In the case of WordPress, the login page of 1000s of websites is bombarded with brute force attacks every day. The attacks can keep the CPU of the server and database server busy and your site may crash or its features may not function. If you’re using weak login credentials, the attacker might also get access to your WP dashboard. To protect your website from such type of attacks or to make the attacks ineffective, you can use the following tools or plugins:

Table of contents:
  • WordPress Brute Force protection plugins and tools
    • Fail2Ban
    • Plugins that prevent brute force attacks.
    • No Captcha reCAPTCHA
    • Limit Login Attempts Reloaded
    • Loginizer
    • Cloudflare

WordPress Brute Force protection plugins and tools

Fail2Ban

If you’ve got root/sudo access to the server, you can use Fail2ban to protect your WordPress website from brute force attacks.

Fail2Ban ships with several filters. To see the list of filters, navigate to the /etc/fail2ban/filters.d directory and run the below command:

ls -ltr

In case you don’t want to use a custom filter that you have designed or found somewhere on the web, you just have to enable the filter by editing the jail.conf file and adding the “enabled=true” option below the “service” or “application” you want fail2ban to monitor. For example, if you’re running a mail server, you can enable the Postfix filter by adding enabled = true below [Postfix].

Fail2ban will monitor the log file every “X” seconds/minutes and will ban the IP address that matches the condition specified in the filter every “N” times.

Fail2Ban uses Linux’s built-in firewall i.e. IPTables to ban IP addresses and it is very effective. Once you install and configure Fail2Ban, you won’t have to install a brute force protection plugin or worry about the attacks (unless you’ve set a weak password).

Fail2Ban saves its activities, the IPs it has found or banned in the Fail2Ban log file. This file is present in the /var/log directory.

Fail2ban

Fail2Ban is a sophisticated tool. In case you’re not able to set it up, you can use the following plugins:

Plugins that prevent brute force attacks.

No Captcha reCAPTCHA

No Captcha Recaptcha

This plugin adds a captcha to the login, registration, and comment forms of the WordPress website. The “Log in” button will be disabled until you or the user who wants to log in to the WordPress dashboard solves the captcha problem. When someone bypasses the challenge, you’ll see a warning in the WordPress dashboard. Once you see the warning, you should check the website’s access log file and find out the IP that is responsible for the Brute Force attack. Once you find the IP, ban it using IPTables. This plugin won’t block the IPs but it will annoy the person who’s flooding your site with a brute force attack. As the “Log in” button won’t be activated unless the person solves the captcha challenge, the attack won’t be a successful one. However, you should keep an eye on the notice generated by the No CAPTCHA reCAPTCHA plugin.

Limit Login Attempts Reloaded

Limit Login Attempts Reloaded

This plugin is similar to Fail2Ban but unlike f2b that users must configure themselves in the command line mode, this plugin offers a GUI based settings interface. Limit Login Attempts doesn’t have ads. This plugin lets you set the “Trusted IP Origins” and the following lockout parameters:

  • Allowed retries, Number of lockout minutes.
  • Hours after which the retries for IP addresses are reset.

The plugin has a “Statistics” section where you can see the number of IPs it has blocked and a list of IP Addresses. LLAR provides an option to make it GDPR compliant.

Loginizer

Loginizer

Loginizer is similar to the above plugin. It lets you set the following values:

  • Max retries, lockout time, max lockouts.
  • Extend lockout, reset Retries.

You can configure this plugin to send an email alert to you after it locks “N” IP addresses. If you know the IPs that are frequently targetting your website, you can blacklist them. To make sure that you’re not blocked from logging in to your website, you can whitelist your IP address in the Loginizer plugin.

Cloudflare

Cloudflare can detect and block internet threats. It checks the IP address of the visitors. If the IP is suspicious, the user will be asked to pass a captcha challenge to prove that he is a human. The captcha page is served by Cloudflare itself. Once the user passes the challenge, he’ll be able to access the page of your website.

I use Fail2Ban to protect my websites. The tool works great and it doesn’t affect the performance of the server. If you don’t have root/sudo access, use one of the 3 plugins I’ve shared above. You can also use Cloudflare.

Filed Under: Best Products Tagged With: Security

About the Author

Pramod has started this site to share honest reviews of WordPress products, hosting, and software. If you have any doubts about a product he has reviewed on this site, you can get in touch with him on LinkedIn.

Related Posts:

  • Guest Posting and Link Building Important for Every Blog [Recomended Plugins and Tips]
    Guest Posting and Link Building Important for Every…
  • Top 6 Plugins for WordPress in 2022: Create and Maintenance Your Website Easy
    Top 6 Plugins for WordPress in 2022: Create and…
  • Understanding Instagram to MP3 Converters
    Instagram to MP3 Converter - Best Tools and How to Use

Primary Sidebar

Recent posts

5 Proven CRM Strategies for Modern Realtors

What is the best alternative to Dopebox?

How to Silence Notifications on iPhone

What is the difference between an internet gateway and a virtual private gateway?

SpyDialer Reverse Phone Lookup and Competitors

How do you put multiple pictures in one story on Snapchat?

Top vMix Alternatives In 2025

How to Download & Install Veeam Agent for Windows 11 or 10

How to Install Claude Code on Ubuntu Linux: A Developer’s Guide

How to Use AI for Mental Health Support in 2025

Footer

WebFactory’s WordPress Plugins

  • UnderConstructionPage
  • WP Reset
  • Google Maps Widget
  • Minimal Coming Soon & Maintenance Mode
  • WP 301 Redirects
  • WP Sticky

Articles you will like

  • 5,000+ Sites that Accept Guest Posts
  • WordPress Maintenance Services Roundup & Comparison
  • What Are the Best Selling WordPress Themes 2019?
  • The Ultimate Guide to WordPress Maintenance for Beginners
  • Ultimate Guide to Creating Redirects in WordPress

Join us

  • Facebook
  • Privacy Policy
  • Contact Us

Affiliate Disclosure: This page may have affiliate links. When you click the link and buy the product or service, I’ll receive a commission.

Copyright © 2025 · Reviewslion

  • Facebook
Like every other site, this one uses cookies too. Read the fine print to learn more. By continuing to browse, you agree to our use of cookies.X