Login Delay Shield
Protect your WordPress login against brute-force attacks with progressive delays, IP lockouts, and email alerts.
Getting Started
Login Delay Shield is available on WordPress.org. It requires zero configuration — activate and it works immediately:
- In your WordPress admin, go to Plugins → Add New and search for "Login Delay Shield".
- Click Install Now, then Activate.
- That's it. Failed login attempts are now delayed automatically.
For fine-tuning, navigate to Settings → Login Delay Shield to adjust delay timing, lockout thresholds, IP whitelists, and email alerts.
Login Delay Shield
Configuration
Navigate to Settings → Login Delay Shield in your WordPress admin. The settings page provides:
- Delay mode — Choose between fixed (same delay every failed attempt) or random (random delay within a range to prevent timing attacks).
- Base delay — The initial delay in seconds applied after the first failed login attempt.
- Maximum delay — The upper cap on delay time regardless of the number of failed attempts.
- Lockout threshold — Number of failed attempts before an IP is locked out entirely.
- Lockout duration — How long a locked-out IP remains blocked (in minutes).
Progressive Delays
Delays increase with each consecutive failed login attempt from the same IP address. The formula follows an exponential curve: each failed attempt doubles the delay until the configured maximum is reached.
For example, with a 1-second base delay and 60-second max: the first failure adds 1s, the second 2s, the third 4s, then 8s, 16s, 32s, and all subsequent failures cap at 60s.
Delays reset to zero after a successful login or after the configured reset period (default: 24 hours) without any failed attempts.
IP Management
Manage IP addresses that are affected by login delays:
- Whitelist — Add trusted IP addresses or CIDR ranges that bypass all delays and lockouts. Useful for office IPs or development servers.
- Lockout list — View currently locked-out IPs with their lockout expiration time and failed attempt count.
- Manual unblock — Remove an IP from the lockout list immediately from the admin dashboard.
- XML-RPC protection — Delays also apply to authentication via
xmlrpc.php, a common brute-force vector.
Email Alerts
Get notified when suspicious activity occurs on your login page:
- Lockout notifications — Receive an email whenever an IP address is locked out, including the IP, username attempted, and number of failed attempts.
- Digest mode — Instead of individual emails, receive a daily summary of all lockout events.
- Recipients — Notifications are sent to the site admin email by default. Add additional recipients in the settings.
FAQ
What versions of WordPress and PHP are supported?
Login Delay Shield supports WordPress 5.0+ and PHP 7.2+.
Is Login Delay Shield available in other languages?
Yes. Login Delay Shield ships with 18 built-in translations. Additional translations are managed through WordPress.org's translate platform.
Will Login Delay Shield conflict with other security plugins?
Login Delay Shield uses standard WordPress hooks for login authentication. It is compatible with most security plugins, but if another plugin also adds login delays or lockouts, you may want to disable one to avoid double-delays.
What happens if I lock myself out?
If your IP gets locked out, wait for the lockout duration to expire. Alternatively, access your site via FTP/SSH and deactivate the plugin by renaming its folder in wp-content/plugins/. You can also add your IP to the whitelist via wp-config.php using the LDS_WHITELISTED_IPS constant.