Top 6 WordPress Brute Force Attack Protection Plugins

WordPress shares over 30% of all websites on the internet. Your site is running on WordPress? It can be a sitting target for hackers at any time. There are various vulnerabilities on your site that can get attacked, from an unreliable web hosting to outdated versions of WordPress core and themes.

Malicious users also find it particularly easy to log into your site through weak passwords, which is known as brute force attacks. Bots and hackers keep trying usernames and passwords until they successfully log into your site. When landing on your admin areas after testing usernames and passwords over and over again, bots and bad people can steal your data, install malware, or even delete everything on your website.

It’s really important to stay your site away from the brute force attackers and keep it safe. While you can try different solutions such as setting strong passwords or password protecting the admin directory, installing a brute force protection plugin comes as a much simpler way. All you need to do is pick the most suitable plugin and let it handle the job.

This article walks you through the top 6 WordPress brute force attack plugins with their main features as well as advantages and disadvantages that can help you protect your login page and admin dashboard easily. Let’s get cracking!

  1. Jetpack
  2. Limit Login Attempts Reloaded
  3. Brute Force Login Protection
  4. Limit Attempts by BestWebSoft
  5. Botnet Attack Blocker
  6. Brute Force Login Security, Spam Protection & Limit Login Attempts

Best WordPress Brute Force Prevention Plugins Comparison Chart (2019)

Before going into details about these WordPress private plugins, let’s take a look at how well they’re doing:



Active Installs Rating  WordPress Versions

2-Factor Authentication


5+ million

3.9 5.1 or higher


Limit Login Attempts Reloaded

1+ million

4.8 3.0 or higher


Brute Force Login Protection


4.1 2.7.0 or higher


Limit Attempts by BestWebSoft


4.6 3.9 or higher


Botnet Attack Blocker


4.5 3.0.0


Brute Force Login Security, Spam Protection & Limit Login Attempts


4.3 2.0.2 or higher


#1 Jetpack


Offered by WordPress.com, Jetpack provides a complete solution to protect your WordPress website from bots and malware trying to break weak login passwords. It’s known as the biggest plugins in the brute force protection field.

The plugin also helps with spam filtering and downtime monitoring. On top of that, you can scan malware and record changes to your site. The number of spam comments or malicious attacks blocked on your site will be stored in the Brute force attacks & malware protection – On-demand backups and restores settings page.


The 3.9-star rating doesn’t 100% imply that users are unsatisfied with the plugin. In fact, the active installations on over 5 million prove that this is a useful plugin for many.

Besides brute force protection, Jetpack supports site performance and management too. It involves image optimization, mobile responsive design, as well as advanced site stats and analytics for understanding your audience.


  • Provide numerous features apart from security, including performance and site management
  • Offer two-factor authentication (2FA)


  • Request upgrade to use the advanced features

#2 Limit Login Attempts Reloaded


While WordPress allows unlimited login attempts to the admin page which creates a big security vulnerability for hackers, this plugin goes against that.

Upon installation and activation, Limit Login Attempts Reloaded enables users to continuously enter their credential information for a certain number of times only. If any IP addresses try to make further logins, they will be blocked immediately.

This plugin is a good choice to remind visitors about the remaining login attempts. What’s more, they have to wait for a moment (about 10 to 20 minutes) before the last login otherwise the account will get banned temporarily.


In addition, if you’re running a WooCommerce site, it’s possible for you to protect the store’s login page. Multi-site capability is also supported.


  • Protect WooCommerce login pages
  • Prove easy to use
  • Inform remaining login attempts


  • No 2FA available
  • Standard UI

#3 Brute Force Login Protection


Similar to other login attempt limitation plugins, Brute Force Login Protection stops automated scripts and bad guys from entering usernames and passwords to your WordPress login page repeatedly.

Installed on over 20,000 sites and receiving a 4.1-star rating, this plugin is apparently solving the problem.

The clear Settings page with little configuration required makes the plugin really simple to use. It enables you to block an IP address manually by filing the Blocked IPs list.


Similar to Limit Login Attempts Reloaded, this plugin helps slow down a brute force attack by allowing you to delay the login after an unsuccessful trial. Users have a short interval of 5 to 10 minutes between 2 failed login attempts.

In case your admin IP address gets blocked, you need to edit the .htaccess file (if you have FTP access – File Transfer Protocol access) and delete the line “deny from a.b.c.d” (a.b.c.d is your own IP address) to log into your website. What if you don’t have the FTP access? You can only visit your admin panel via another IP address and remove yours from the Blocked IPs list.


  • Slow down brute force attacks
  • Email the administrator when an IP address is temporarily banned
  • Prove simple to use


  • The plugin has been tested with the 2.7.0 WordPress release version only
  • The latest update was in 2 years ago which may lead to security risks for websites

#4 Limit Attempts by BestWebSoft

Limit Attempts by BestWebSoft comes with both free and pro versions that help website owners protect their WordPress site from spam and brute force attacks.

Similar to how most of the other brute force and login attempt limitation plugins work, Limit Attempts by BestWebSoft counts the number of failed credential trials per IP address and temporarily block it in a certain period of time.

Once an IP is blocked, the user from that IP is not able to see the website forms including login, register, lost password.

The Statistics, an outstanding feature of the plugin, lets you manage individual IP addresses, from the number of failed attempts to the number of blockings, and the current status of that IP (blocked or unlocked).


Limit Attempts by BestWebSoft can be integrated with Captcha Pro and Captcha Plus plugins. Accordingly, an incorrect captcha input will be taken as a failed login trial. But keep in mind that this feature is available in the Pro version only.


  • Allow you to manage IP statistics
  • Integrate with CAPTCHA plugins
  • Hide login, registration, and lost password forms after blocking


  • Upgrade to the Pro version to expand the advanced features

#5 Botnet Attack Blocker


Bonet Attack Blocker takes another direction to keep WordPress sites out of brute force attackers and cybercrimes. From the plugin’s developer’s point of view, IP address and location prevention is not efficient enough to lock the bots out.

For example, by using 1,000 computers to enter the login information at the same time with 5 login attempts accepted on each device before the lockout, a person could try up to 5,000 different passwords.

To avoid this limitation, Bonet Attack Blocker basically ignores the differences in IP addresses. It just blocks all admin login attempts after seeing 5 unsuccessful trials (by default) in a specific period of time.

However, the way the plugin operates can cause some problems. Bonet Attack Blocker blocks all admin login attempts coming from different IP addresses after 5 continuous failed trials in total. As a result, it might mistake many users who don’t intend to hack the website.


  • Allow partial IP addresses
  • Add a secret key to bypass the lockdown


  • Might block too many users at the same time even though they are not attackers
  • Haven’t been updated for 2 years

#6 Brute Force Login Security, Spam Protection & Limit Login Attempts


Brute Force Login Security, Spam Protection & Limit Login Attempts from Miniorange is highly recommended to stop automatic scripts from accessing your WordPress admin area recently.

If you need a way to apply the 2-factor authentication, Brute Force Login Security, Spam Protection & Limit Login Attempts is here for help. This plugin brings you the 2-Step Verification feature which adds one more layer of protection to your accounts and helps raise the site security to a higher level.

It’s possible for you to verify emails entered in the login forms. The plugin will connect to the mail server of the registered email to make sure the mailbox exists.

There are other useful features provided by the plugin such as Provides Login Security, User Registrations Security, P monitoring and IP Blacklisting, DOS attacks protection, and strong password enforcement.


  • Offer various features
  • Integrate with social logins
  • Verify emails


  • The plugin is relatively new to most users
  • There are a lot of setting configuration required

Which Is Your Plugin to Prevent Brute Force Attacks?

Installing a plugin guards your WordPress site against brute force attacks and unauthorized logins with ease. You can get rid of password protecting directories or manually adding code to limit access to wp-login.php by IP.

We’ve shown above the top 6 plugins with their main features that can help you take control of brute force cracking. Now it’s your turn to make the decision.

We would love to hear your experiences about the plugin that fits your website best. Share your thoughts in the comment box below. You can also read the article How to Protect Your WordPress Site from Brute Force Attacks to learn about other methods to prevent login information hacking.