Stop Brute-Force Attacks Cold

Simple, effective login protection for WordPress. Progressive delays, custom login URL, and trend analytics make brute-force attacks impractical — and it works right out of the box.

Download Free View on GitHub Documentation

Languages

XML-RPC

Protected

Zero

Config Needed

100%

Free & Open Source

How It Works

Failed logins get delayed. Successful logins stay instant. It's that simple.

1st failed login +3 second delay

2nd failed login +6 second delay

5th failed login IP locked out

Correct password Instant login

Features

Practical tools to keep your WordPress login safe, with nothing extra getting in the way.

Login Delay

Add a configurable delay after failed login attempts. Choose between fixed or random delays to slow down automated attacks.

Progressive Throttling

Delays grow with each consecutive failure. The first attempt gets a small delay; subsequent ones take progressively longer.

IP Lockout

Automatically lock out IP addresses after too many failed attempts. The lockout duration grows with repeated offenses.

IP Whitelist

Exempt trusted IP addresses from delays and lockouts. Useful for office IPs, VPNs, and development environments.

Email Alerts

Get notified when IP addresses get locked out, so you know when someone is trying to break in.

Failed Login Log

Track all failed login attempts with IP address, username, and timestamp. Filter by source, IP, or date range and export results as CSV.

XML-RPC & API Protection

Protect XML-RPC, REST API, and application-password authentication against brute-force attacks.

Custom Login URL

Move your login page from /wp-login.php to a custom URL slug. Login, logout, lost password, and password reset all route through the custom URL.

Trend Analytics

7-day trends panel with daily totals, top attacking IPs, and most targeted usernames. See patterns at a glance from your dashboard.

18 Languages

Translated into 18 languages including English, Spanish, French, German, and more. Ready for international sites.

2FA Health Check

The settings page checks for an active two-factor authentication plugin and tells you which one is installed, or recommends adding one if none is found.

Object Cache Notice

On sites without a persistent object cache, the settings page flags the potential database load from transient reads so you can make an informed choice about adding Redis or Memcached.

Why It Matters

Brute-force attacks are the #1 threat to WordPress sites. Automated bots can attempt thousands of password combinations per minute against an unprotected login page.

A simple 5-second delay reduces attack throughput from 1,000+ attempts per minute to just 12. Add progressive throttling and IP lockout on top, and Login Delay Shield makes brute-force attacks impractical. Legitimate users never notice a thing.