What is Limit Login Attempts Reloaded plugin?
Limit Login Attempts Reloaded is a focused WordPress plugin that does one thing: limits the number of failed login attempts per IP address to protect against brute force attacks. WordPress by default allows unlimited login attempts, which makes it trivially easy for automated bots to try thousands of password combinations. This plugin closes that gap with configurable lockout rules.
The plugin was created as a maintained replacement for the original “Limit Login Attempts” plugin that was abandoned. With over 2.5 million active installations and a straightforward implementation, it has become the de facto standard for simple brute force protection on WordPress sites that do not use a full security plugin.
The free version handles IPv4 and IPv6 lockouts, Cloudflare and gateway IP compatibility, configurable lockout duration, email notifications on lockouts, and a log of recent lockout events. A cloud-based Pro version ($7.99/month) adds managed IP blocklists from a global threat database, a dashboard showing attack statistics, and centralized management for multiple sites.
Limit Login Attempts Reloaded is ideal for sites that want brute force protection without installing a full-featured security plugin that adds significant overhead. It works well as a standalone addition or as a supplement to a security plugin that lacks login protection. It should not be confused with a complete security solution — it does not include malware scanning, firewalls, or broader hardening.
Need Help With Limit Login Attempts Reloaded Setup, Troubleshooting, or Customization?
Need help with Limit Login Attempts Reloaded? Whether you are dealing with errors, broken functionality, styling problems, plugin conflicts, or advanced customization, we can help you fix the issue and get the plugin working properly on your WordPress site.
Get Limit Login Attempts Reloaded Expert HelpKey Features
- Configurable failed login attempt limits before lockout
- Lockout duration and escalating lockout periods
- IPv4 and IPv6 support
- Cloudflare and gateway/proxy IP compatibility
- Safe IP allowlisting
Pros & Cons
Pros
- Extremely simple and focused — does one thing well
- Minimal overhead compared to full security plugins
- 2.5 million+ active installations with proven reliability
Cons
- Not a complete security solution — needs a broader plugin for malware scanning, WAF, and hardening
- Pro pricing ($7.99/month) is expensive for a single-feature plugin
Free vs Premium
Free version covers all core brute force protection. The cloud Pro plan ($7.99/month) adds a managed global threat IP blocklist, multi-site management, and detailed attack analytics.
Common Problems & Fixes
Why is Limit Login Attempts Reloaded not correctly identifying Cloudflare visitor IPs?
When Cloudflare proxies requests, the server sees Cloudflare’s IP rather than the visitor’s. Limit Login Attempts Reloaded needs to be configured to read the real IP from the CF-Connecting-IP or X-Forwarded-For header. Go to the plugin settings and set the “Trusted IP Origins” to use the correct header for your setup. Without this, all brute force attempts appear to come from a single Cloudflare IP, which if locked would block all visitors using Cloudflare.
Why are my own login attempts getting locked out?
If your IP is consistently being locked out after correct logins, a browser or password manager may be submitting cached incorrect credentials. Check for saved but outdated passwords in your browser. Also add your IP address to the plugin’s allowlist (Settings → IP Whitelist) so your IP is never locked regardless of failed attempts.
How do I unlock a blocked IP in Limit Login Attempts Reloaded?
Go to Limit Login Attempts → Logs in the WordPress admin. Find the blocked IP and click the Remove Block or Whitelist option. Alternatively, unlock IPs directly from the plugin’s main dashboard panel where current lockouts are listed.
Customization & Developer Notes
How do I set up escalating lockout periods for repeat offenders?
In the plugin settings, configure both the initial lockout duration (e.g., 20 minutes after 4 failed attempts) and the escalated lockout duration (e.g., 24 hours after N total lockouts). The escalating lockout increases the penalty for IPs that repeatedly try after initial lockouts — discouraging persistent brute force attempts.
Can I get email notifications when a lockout occurs?
Yes. In the plugin settings, enable “Notify on lockout” and set the email address for notifications. You can configure the number of lockouts to trigger before sending a notification — setting it to 1 sends an email on every lockout. The email includes the locked IP, the time, and the number of attempts.
Frequently Asked Questions
Is Limit Login Attempts Reloaded needed if I already have Wordfence?
No. Wordfence includes brute force login protection that covers the same use case. Running both creates redundant and potentially conflicting login protection. Use one or the other, not both.
Does this plugin work with WooCommerce login?
Yes. Limit Login Attempts Reloaded protects the standard WordPress login form at wp-login.php, which WooCommerce uses for customer account logins on most store configurations.
Is this compatible with WordPress Multisite?
Yes. The plugin works on multisite installations. On network-activated configurations, it can be managed from the network admin. Lockout settings apply network-wide.
Can bots bypass Limit Login Attempts Reloaded?
Sophisticated bots using distributed IP addresses (rotating through many different IPs) can partially circumvent IP-based lockout by never triggering the threshold from a single IP. For these cases, the Pro plan’s global IP blocklist helps by flagging known bot IPs before they attempt any logins. Additionally, using a custom login URL (via a companion plugin) reduces bot targeting of the login page entirely.