Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
Coppa WPB
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts
Are you looking for a Limit Login Attempts Reloaded review to help you decide if it’s the right WordPress security plugin for you? This plugin can identify potential brute force attacks and lock suspicious accounts automatically. It also has access to a database of known… Per saperne di più »
Hai già usato "Limit Login Attempts Reloaded"? Aggiungi la tua recensione per aiutare la comunità.

Are you looking for a Limit Login Attempts Reloaded review to help you decide if it’s the right WordPress security plugin for you?

This plugin can identify potential brute force attacks and lock suspicious accounts automatically. It also has access to a database of known malicious IP addresses and will build a custom blocklist for your site automatically.

In this Limit login Attempts Reloaded review, we’ll look at this popular brute force protection plugin to see whether it’s right for you.

Limit Login Attempts Reloaded Review: Why Use It in WordPress?

Limit Login Attempts Reloaded Review: Why Use It in WordPress?

By default, WordPress allows an unlimited number of login attempts, which makes your site vulnerable to brute force attacks.

Limit Login Attempts Reloaded is a popular security plugin that helps combat these attacks. It monitors every time someone tries to log into your site using the same Internet Protocol (IP) address or username.

If this person or bot fails to login a certain number of times, then it will block that IP or username automatically, for a period time set by you.

Limit Login Attempts Reloaded Review: Why Use It in WordPress?

Going further, Limit Login Attempts Reloaded can track how many times the person gets locked out of your site. It will then increase the lockout interval following multiple failed attempts.

If you’re just getting started or have a limited budget, then you can download the lite version of Limit Login Attempts Reloaded from WordPress.org.

The lite Limit Login Attempts Reloaded WordPress security plugin

This free plugin can block IP addresses and usernames automatically after a certain number of failed attempts. It will also notify you about suspicious activity, and display a privacy warning on the login page to help you comply with GDPR.

However, if you’re using the free version then the load caused by excessive brute fore attacks will count towards your hosting bandwidth. You may even get charged additional fees, depending on your WordPress hosting provider.

With that in mind, the premium plugin comes with a Performance Optimizer that can process excessive login requests in the cloud, without putting extra strain on your servers.

It also blocks known malicious IP addresses automatically, using data from over 10,000 websites in the Limit Login Attempts Reloaded network.

Limit Login Attempts Reloaded Review: The Right Security Plugin for Your WordPress Website?

Hackers may try to access your WordPress admin dashboard using brute force attacks.

The easiest way to protect against these attacks, is to limit how many times a user can attempt to login. With that said, let’s see if Limit Login Attempts Reloaded is the right security plugin for you.

1. Easy to Set Up

Limit Login Attempts Reloaded is easy to use. To start, you can install and activate it just like any other WordPress plugin.

The default settings should work well for most WordPress websites, so you’re protected against brute force attacks straight away. However, if you want to review and fine-tune these default settings, then the plugin has a single screen where you can make these changes.

The Limit Login Attempts Reloaded security settings

2. Customizable Lockout Settings

By default, this plugin will automatically block users for 20 minutes following 4 failed login attempts. However, you can change these settings to anything that works for your WordPress blog or website. For example, if you want to boost your website’s security, then you might allow fewer retries or increase the lockout time.

How to limit login attempts and protect against brute force attacks

You can also block users for a longer period of time, following multiple lockouts. For example, if a user gets blocked 4 times, then you might lock them out for 24 hours, as this is typically very suspicious behavior.

Finally, you can reset the lockout period once a certain period of time has passed since the last lockout incident. By trying different settings, you can find the perfect balance for your website, blog, or online store.

3. Display Remaining Login Attempts

Sometimes, genuine users may forget their password and risk getting locked out of their account. To help these legitimate users, Limit Login Attempts Reloaded will display how many login attempts they have left.

Viewing the remaining login attempts in the WordPress dashboard

Legitimate users can then take steps to avoid getting locked out of their account, such as recovering a lost password.

4. Built-in Denylist and Safelist

As already mentioned, Limit Login Attempts Reloaded has a denylist that can block certain usernames, IP addresses, or IP ranges, including IPV6 ranges.

Blacklisting IP addresses, IP ranges, and usernames

Even better, if you upgrade to the premium plugin, then Limit Login Attempts Reloaded will identify repeated failed login attempts. It will then automatically add these suspicious IP addresses or ranges to its denylist, to protect against future attacks.

Alternatively, Limit Login Attempts Reloaded has a safelist that you can use to whitelist IP addresses, ranges, and usernames that should never get blacklisted.

5. Deny By Country

Another option is to block logins based on country. For example, you might block regions that are known for high cybercrime activities.

You should also consider that many countries have strict data protection laws. With that said, you may decide to restrict access to certain countries, rather than trying to comply with every region’s unique data protection laws.

No matter your motivation, Limit Login Attempts Reloaded has pre-programmed country IP ranges. This allows you to block entire regions, simply by checking a box in the plugin’s settings.

Restricting access based on regions and geographical location

6. Synchronize Lockouts and Blocklists

Do you run multiple websites? Then you can share your lockout data, IP rules, safelist, and denylist between all your domains. This helps to keep all your websites safe, while making network administration much easier.

Even better, if you add a new WordPress website to your network then it’ll immediately inherit all your rules and settings.

Going further, you can view all login activity and user activity across multiple sites, from the same admin dashboard. This makes it easy to spot trends or recurring problems you need to address.

7. Automatic IP Data Backups

The premium Limit Login Attempts Reloaded plugin automatically stores all your active IP data in the cloud, without requiring any manual configuration or maintenance. This means you don’t need to worry about losing this information, and can access your data from any location.

8. Data From 10,000+ Websites

Limit Login Attempts Reloaded collects IP data from thousands of websites in its network, and then uses this information to proactively identify and block potential brute force attacks.

In this way, you can block attacks before they happen.

9. Optimized for Performance

A brute force attack can easily drain your local server resources, especially if that attack is automated. This can affect your website’s performance, and you may even incur extra fees depending on your hosting provider.

Poor performance is bad news for any website, but if you run an online marketplace then it may stop customers from making a purchase. In this way, a brute force attack can immediately affect your income.

The good news is that Limit Login Attempts Reloaded can detect, counter, and block malicious login attempts in the cloud. In this way, you can protect your server resources and avoid extra charges. In addition, your website will continue to work normally and load quickly, even when it’s facing a brute force attack.

10. Automatic Email Alerts

Occasionally, legitimate users may get locked out of their account due to a genuine mistake. However, if the same user gets locked out multiple times then you’ll typically want to know about it. With that said, Limit Login Attempts Reloaded will notify you if the same user gets locked out multiple times.

How to send email notifications about security breaches

In this way, you can react to suspicious behavior straight away and help keep your website safe. Limit Login Attempts Reloaded can send these notifications to any email address, and will even send a test message to check that these alerts are working correctly.

Pro Tip: If you don’t receive the test email, then it usually means your WordPress hosting provider hasn’t properly configured the PHP mail() function. In that case, we recommend using an SMTP service provider and SMTP plugin to send these messages instead.

11. Detailed Logs

Brute force attacks often come from the same IP address, IP range, or username. In that case, it makes sense to identify these attackers and add them to a blocklist.

The good news is that Limit Login Attempts Reloaded automatically tracks every lockout that happens across your website. You can review this information at any point, and then add those users to the plugin’s denylist.

These reports also record the denied IP address, the region it’s from, the lockout duration, and more. You can then use this insight to improve your WordPress security. For example, you might decide to block IP addresses originating from a certain region, or change the lockout duration.

12. Unlock Site Admin

If you type the wrong password too many times, then you may get locked out of your WordPress admin account.

Although this sounds daunting, you can easily recover an account by logging into the Limit Login Attempts Reloaded billing dashboard. Here, simply add your IP address safelist, and you’ll once again have access to your admin account.

Alternatively, if you upgrade to the premium plugin then Limit Login Attempts Reloaded’s team of experts can help you regain admin access. For more on this topic, please see our guide on what to do when you’re locked out of WordPress admin.

13. Avoid Mass User Lockout

Proxy domain servers like CloudFlare, Sucuri, and Nginx may replace a user’s IP address with their own. This means all users will get the same IP address, so blocking one user is the same as blocking all users.

Thankfully, Limit Login Attempts Reloaded can intelligently recognize non-standard IP origins and handle them correctly. If you’re using the premium plugin, then it will handle this situation automatically. Alternatively, if you’re using the free plugin then you can fix this problem using the Trusted IP Origin setting.

How to whitelist IP addresses

14. Export Data

At some point, you may need to share your Limit Login Attempts Reloaded data with people who don’t have access to the WordPress dashboard.

We don’t recommend adding new users simply to share information with other people, as it’s bad for WordPress security. Instead, Limit Login Attempts Reloaded allows you to download IP data as a CSV file, ready to share with other people.

15. Helps With GDPR Compliance

GDPR is a European Union law that aims to give EU citizens more control over their data. If you violate this important privacy law then you may get a fine, or even jail time.

Thankfully, Limit Login Attempts Reloaded lets you display a privacy message on your site’s login screen. By default, this message warns users that their IP address and browser information might be processed by your site’s security plugins.

An example of a privacy and GDPR compliance warnings, on a WordPress blog or website

This helps you comply with GDPR, by clearly stating that you may collect the visitor’s personal data for security purposes.

You can toggle this message on and off in the plugin’s settings, and can even replace it with your own messaging.

How to create a GDPR compliant WordPress blog, website, or online store

This feature also supports shortcodes, so you can go one step further and add a link to your site’s privacy policy, or similar.

16. Disable XMLRPC 

XML-RPC is a core WordPress API that allows users to connect to your site using third-party apps, tools, and services. In short, you need XML-RPC enabled to access and publish your blog remotely, such as when you want to use a mobile app to manage your site or connect to automation services like Zapier and Uncanny Automator.

Unfortunately, hackers can gain access to WordPress by exploiting XML-RPC. For that reason, many security experts advise you to disable XML-RPC unless you’re actively using it.

By default, Limit Login Attempts Reloaded will disable XML-PRC on your website, which will help keep your site safe.

17. WordPress Multisite Compatible

Are you using a WordPress multisite network?

Then you’ll be happy to learn that Limit Login Attempts Reloaded supports multisite and even has extra multisite settings.

18. Community and Professional Support

Limit Login Attempts Reloaded is designed to use out-of-the-box, with settings that work well for most WordPress websites. However, brute force attacks are a serious threat, so you may need extra help to secure your site.

With that said, Limit Login Attempts Reloaded has a series of guides that cover important security topics such as how to fix a hacked website, and whether you should change the WordPress ‘admin’ username.

An example of an online knowledge base

Beyond that, there’s online documentation that you can access 24/7, and a blog.

On the blog, you’ll find a range of tutorials and guides, plus the company’s expert pick of the must have WordPress plugins you may want to use alongside Limit Login Attempts Reloaded.

An example of a security-focused WordPress blog

If you have the free plugin, then you can post to the Limit Login Attempts Reloaded forum on WordPress.org, and get answers to basic questions.

When posting to public support forums, it’s always a good idea to include as much information as possible, so the experts can understand your problem quickly and post a helpful response. For more on this topic, please see our guide on how to properly ask for WordPress support.

Do you prefer one-on-one support? All the premium plans include professional email support, so you can get help directly from the experts.

Limit Login Attempts Reloaded: Pricing and Plans

If you’re just getting started or have a limited budget, then you can download the core Limit Login Attempts Reloaded plugin from WordPress.org.

With this free plugin, you can change the number of failed login attempts before a user gets locked out. You can also change how long the user remains blocked from their account. However, if you want more advanced features then you’ll need to upgrade to the premium plugin.

The Limit Login Attempts Reloaded pricing and plans

There are 4 plans to choose from:

  • Premium. For $3.33 per month, this plugin can process up to 100k requests in the cloud. It will also automatically block known malicious IPs from accessing your login page and create a detailed log.
  • Premium Plus. Priced at $4.58 per month when billed annually, this plan can process up to 200k requests per month. You can also deny requests from specific regions, thanks to a list of pre-programmed IP ranges. With that said, this is a great plan for websites that get lots of traffic.
  • Professional. For $6.67 per month, this plan will automatically add malicious IPs to your denylist. The Performance Optimizer can also process up to 300k requests per month, so your pages will load quickly even when your site is under heavy attack.
  • Agency. Priced at $18.75 when billed annually, this plan can process up to 100k requests per domain name. You can also easily add and remove domains, so it’s perfect for WordPress development agencies or anyone who manages multiple sites. Alternatively, you can resell this plan to clients, which is ideal if you’re starting your own online business.

Limit Login Attempts Reloaded Review: The Right Security Plugin for Your WordPress Website?

After looking at the features, support options, and pricing, we’re confident that Limit Login Attempts Reloaded is a great security plugin.

It can help protect your site against brute force attacks by automatically blocking suspicious users. It also collects data from thousands of websites in its network and uses that information to identify and block malicious IP addresses on your website.

Beyond that, Limit Login Attempts Reloaded helps you comply with GDPR and other important privacy laws. It can also keep your site running normally even when it’s under attack, by processing thousands of login attempts in the cloud.

We hope this Limit Login Attempts Reloaded review helped you decide whether it’s right for your WordPress website. You can also check out our guide on how to track visitors to your WordPress site, or see our expert pick of the best analytics solutions.

Se questo articolo vi è piaciuto, iscrivetevi al nostro canale YouTube per le esercitazioni video su WordPress. Potete trovarci anche su Twitter e Facebook.

Il kit di strumenti WordPress definitivo

Ottenete l'accesso gratuito al nostro kit di strumenti - una raccolta di prodotti e risorse relative a WordPress che ogni professionista dovrebbe avere!

Divulgazione: I nostri contenuti sono sostenuti dai lettori. Ciò significa che se cliccate su alcuni dei nostri link, potremmo guadagnare una commissione. Vedi come WPBeginner è finanziato , perché è importante e come puoi sostenerci. Ecco il nostro processo editoriale .

Reader Interactions

Limit Login Attempts Reloaded Recensioni degli utenti

Non ci sono recensioni degli utenti per Limit Login Attempts Reloaded in questo momento.
Condividi la tua recensione su Limit Login Attempts Reloaded per aiutare gli altri utenti della comunità.

Lascia un commento

Grazie per aver scelto di lasciare una recensione. Si prega di tenere presente che tutte le recensioni sono moderate in base alle nostre politica dei commenti e il vostro indirizzo e-mail NON sarà pubblicato. Non utilizzare parole chiave nel campo del nome. Avremo una conversazione personale e significativa.

Valutazione: