Are you looking for a Limit Login Attempts Reloaded review to help you decide if it’s the right WordPress security plugin for you?
This plugin can identify potential brute force attacks and lock suspicious accounts automatically. It also has access to a database of known malicious IP addresses and will build a custom blocklist for your site automatically.
In this Limit login Attempts Reloaded review, we’ll look at this popular brute force protection plugin to see whether it’s right for you.
Limit Login Attempts Reloaded Review: Why Use It in WordPress?
By default, WordPress allows an unlimited number of login attempts, which makes your site vulnerable to brute force attacks.
Limit Login Attempts Reloaded is a popular security plugin that helps combat these attacks. It monitors every time someone tries to log into your site using the same Internet Protocol (IP) address or username.
If this person or bot fails to login a certain number of times, then it will block that IP or username automatically, for a period time set by you.
Going further, Limit Login Attempts Reloaded can track how many times the person gets locked out of your site. It will then increase the lockout interval following multiple failed attempts.
If you’re just getting started or have a limited budget, then you can download the lite version of Limit Login Attempts Reloaded from WordPress.org.
This free plugin can block IP addresses and usernames automatically after a certain number of failed attempts. It will also notify you about suspicious activity, and display a privacy warning on the login page to help you comply with GDPR.
However, if you’re using the free version then the load caused by excessive brute fore attacks will count towards your hosting bandwidth. You may even get charged additional fees, depending on your WordPress hosting provider.
With that in mind, the premium plugin comes with a Performance Optimizer that can process excessive login requests in the cloud, without putting extra strain on your servers.
It also blocks known malicious IP addresses automatically, using data from over 10,000 websites in the Limit Login Attempts Reloaded network.
Limit Login Attempts Reloaded Review: The Right Security Plugin for Your WordPress Website?
Hackers may try to access your WordPress admin dashboard using brute force attacks.
The easiest way to protect against these attacks, is to limit how many times a user can attempt to login. With that said, let’s see if Limit Login Attempts Reloaded is the right security plugin for you.
1. Easy to Set Up
Limit Login Attempts Reloaded is easy to use. To start, you can install and activate it just like any other WordPress plugin.
The default settings should work well for most WordPress websites, so you’re protected against brute force attacks straight away. However, if you want to review and fine-tune these default settings, then the plugin has a single screen where you can make these changes.
2. Customizable Lockout Settings
By default, this plugin will automatically block users for 20 minutes following 4 failed login attempts. However, you can change these settings to anything that works for your WordPress blog or website. For example, if you want to boost your website’s security, then you might allow fewer retries or increase the lockout time.
You can also block users for a longer period of time, following multiple lockouts. For example, if a user gets blocked 4 times, then you might lock them out for 24 hours, as this is typically very suspicious behavior.
Finally, you can reset the lockout period once a certain period of time has passed since the last lockout incident. By trying different settings, you can find the perfect balance for your website, blog, or online store.
3. Display Remaining Login Attempts
Sometimes, genuine users may forget their password and risk getting locked out of their account. To help these legitimate users, Limit Login Attempts Reloaded will display how many login attempts they have left.
Legitimate users can then take steps to avoid getting locked out of their account, such as recovering a lost password.
4. Built-in Denylist and Safelist
As already mentioned, Limit Login Attempts Reloaded has a denylist that can block certain usernames, IP addresses, or IP ranges, including IPV6 ranges.
Even better, if you upgrade to the premium plugin, then Limit Login Attempts Reloaded will identify repeated failed login attempts. It will then automatically add these suspicious IP addresses or ranges to its denylist, to protect against future attacks.
Alternatively, Limit Login Attempts Reloaded has a safelist that you can use to whitelist IP addresses, ranges, and usernames that should never get blacklisted.
5. Deny By Country
Another option is to block logins based on country. For example, you might block regions that are known for high cybercrime activities.
You should also consider that many countries have strict data protection laws. With that said, you may decide to restrict access to certain countries, rather than trying to comply with every region’s unique data protection laws.
No matter your motivation, Limit Login Attempts Reloaded has pre-programmed country IP ranges. This allows you to block entire regions, simply by checking a box in the plugin’s settings.
6. Synchronize Lockouts and Blocklists
Do you run multiple websites? Then you can share your lockout data, IP rules, safelist, and denylist between all your domains. This helps to keep all your websites safe, while making network administration much easier.
Even better, if you add a new WordPress website to your network then it’ll immediately inherit all your rules and settings.
Going further, you can view all login activity and user activity across multiple sites, from the same admin dashboard. This makes it easy to spot trends or recurring problems you need to address.
7. Automatic IP Data Backups
The premium Limit Login Attempts Reloaded plugin automatically stores all your active IP data in the cloud, without requiring any manual configuration or maintenance. This means you don’t need to worry about losing this information, and can access your data from any location.
8. Data From 10,000+ Websites
Limit Login Attempts Reloaded collects IP data from thousands of websites in its network, and then uses this information to proactively identify and block potential brute force attacks.
In this way, you can block attacks before they happen.
9. Optimized for Performance
A brute force attack can easily drain your local server resources, especially if that attack is automated. This can affect your website’s performance, and you may even incur extra fees depending on your hosting provider.
Poor performance is bad news for any website, but if you run an online marketplace then it may stop customers from making a purchase. In this way, a brute force attack can immediately affect your income.
The good news is that Limit Login Attempts Reloaded can detect, counter, and block malicious login attempts in the cloud. In this way, you can protect your server resources and avoid extra charges. In addition, your website will continue to work normally and load quickly, even when it’s facing a brute force attack.
10. Automatic Email Alerts
Occasionally, legitimate users may get locked out of their account due to a genuine mistake. However, if the same user gets locked out multiple times then you’ll typically want to know about it. With that said, Limit Login Attempts Reloaded will notify you if the same user gets locked out multiple times.
In this way, you can react to suspicious behavior straight away and help keep your website safe. Limit Login Attempts Reloaded can send these notifications to any email address, and will even send a test message to check that these alerts are working correctly.
Pro Tip: If you don’t receive the test email, then it usually means your WordPress hosting provider hasn’t properly configured the PHP mail()
function. In that case, we recommend using an SMTP service provider and SMTP plugin to send these messages instead.
11. Detailed Logs
Brute force attacks often come from the same IP address, IP range, or username. In that case, it makes sense to identify these attackers and add them to a blocklist.
The good news is that Limit Login Attempts Reloaded automatically tracks every lockout that happens across your website. You can review this information at any point, and then add those users to the plugin’s denylist.
These reports also record the denied IP address, the region it’s from, the lockout duration, and more. You can then use this insight to improve your WordPress security. For example, you might decide to block IP addresses originating from a certain region, or change the lockout duration.
12. Unlock Site Admin
If you type the wrong password too many times, then you may get locked out of your WordPress admin account.
Although this sounds daunting, you can easily recover an account by logging into the Limit Login Attempts Reloaded billing dashboard. Here, simply add your IP address safelist, and you’ll once again have access to your admin account.
Alternatively, if you upgrade to the premium plugin then Limit Login Attempts Reloaded’s team of experts can help you regain admin access. For more on this topic, please see our guide on what to do when you’re locked out of WordPress admin.
13. Avoid Mass User Lockout
Proxy domain servers like CloudFlare, Sucuri, and Nginx may replace a user’s IP address with their own. This means all users will get the same IP address, so blocking one user is the same as blocking all users.
Thankfully, Limit Login Attempts Reloaded can intelligently recognize non-standard IP origins and handle them correctly. If you’re using the premium plugin, then it will handle this situation automatically. Alternatively, if you’re using the free plugin then you can fix this problem using the Trusted IP Origin setting.
14. Export Data
At some point, you may need to share your Limit Login Attempts Reloaded data with people who don’t have access to the WordPress dashboard.
We don’t recommend adding new users simply to share information with other people, as it’s bad for WordPress security. Instead, Limit Login Attempts Reloaded allows you to download IP data as a CSV file, ready to share with other people.
15. Helps With GDPR Compliance
GDPR is a European Union law that aims to give EU citizens more control over their data. If you violate this important privacy law then you may get a fine, or even jail time.
Thankfully, Limit Login Attempts Reloaded lets you display a privacy message on your site’s login screen. By default, this message warns users that their IP address and browser information might be processed by your site’s security plugins.
This helps you comply with GDPR, by clearly stating that you may collect the visitor’s personal data for security purposes.
You can toggle this message on and off in the plugin’s settings, and can even replace it with your own messaging.
This feature also supports shortcodes, so you can go one step further and add a link to your site’s privacy policy, or similar.
16. Disable XMLRPC
XML-RPC is a core WordPress API that allows users to connect to your site using third-party apps, tools, and services. In short, you need XML-RPC enabled to access and publish your blog remotely, such as when you want to use a mobile app to manage your site or connect to automation services like Zapier and Uncanny Automator.
Unfortunately, hackers can gain access to WordPress by exploiting XML-RPC. For that reason, many security experts advise you to disable XML-RPC unless you’re actively using it.
By default, Limit Login Attempts Reloaded will disable XML-PRC on your website, which will help keep your site safe.
17. WordPress Multisite Compatible
Are you using a WordPress multisite network?
Then you’ll be happy to learn that Limit Login Attempts Reloaded supports multisite and even has extra multisite settings.
18. Community and Professional Support
Limit Login Attempts Reloaded is designed to use out-of-the-box, with settings that work well for most WordPress websites. However, brute force attacks are a serious threat, so you may need extra help to secure your site.
With that said, Limit Login Attempts Reloaded has a series of guides that cover important security topics such as how to fix a hacked website, and whether you should change the WordPress ‘admin’ username.
Beyond that, there’s online documentation that you can access 24/7, and a blog.
On the blog, you’ll find a range of tutorials and guides, plus the company’s expert pick of the must have WordPress plugins you may want to use alongside Limit Login Attempts Reloaded.
If you have the free plugin, then you can post to the Limit Login Attempts Reloaded forum on WordPress.org, and get answers to basic questions.
When posting to public support forums, it’s always a good idea to include as much information as possible, so the experts can understand your problem quickly and post a helpful response. For more on this topic, please see our guide on how to properly ask for WordPress support.
Do you prefer one-on-one support? All the premium plans include professional email support, so you can get help directly from the experts.
Limit Login Attempts Reloaded: Pricing and Plans
If you’re just getting started or have a limited budget, then you can download the core Limit Login Attempts Reloaded plugin from WordPress.org.
With this free plugin, you can change the number of failed login attempts before a user gets locked out. You can also change how long the user remains blocked from their account. However, if you want more advanced features then you’ll need to upgrade to the premium plugin.
There are 4 plans to choose from:
- Premium. For $3.33 per month, this plugin can process up to 100k requests in the cloud. It will also automatically block known malicious IPs from accessing your login page and create a detailed log.
- Premium Plus. Priced at $4.58 per month when billed annually, this plan can process up to 200k requests per month. You can also deny requests from specific regions, thanks to a list of pre-programmed IP ranges. With that said, this is a great plan for websites that get lots of traffic.
- Professional. For $6.67 per month, this plan will automatically add malicious IPs to your denylist. The Performance Optimizer can also process up to 300k requests per month, so your pages will load quickly even when your site is under heavy attack.
- Agency. Priced at $18.75 when billed annually, this plan can process up to 100k requests per domain name. You can also easily add and remove domains, so it’s perfect for WordPress development agencies or anyone who manages multiple sites. Alternatively, you can resell this plan to clients, which is ideal if you’re starting your own online business.
Limit Login Attempts Reloaded Review: The Right Security Plugin for Your WordPress Website?
After looking at the features, support options, and pricing, we’re confident that Limit Login Attempts Reloaded is a great security plugin.
It can help protect your site against brute force attacks by automatically blocking suspicious users. It also collects data from thousands of websites in its network and uses that information to identify and block malicious IP addresses on your website.
Beyond that, Limit Login Attempts Reloaded helps you comply with GDPR and other important privacy laws. It can also keep your site running normally even when it’s under attack, by processing thousands of login attempts in the cloud.
We hope this Limit Login Attempts Reloaded review helped you decide whether it’s right for your WordPress website. You can also check out our guide on how to track visitors to your WordPress site, or see our expert pick of the best analytics solutions.
Se questo articolo vi è piaciuto, iscrivetevi al nostro canale YouTube per le esercitazioni video su WordPress. Potete trovarci anche su Twitter e Facebook.
Syed Balkhi
Hey WPBeginner readers,
Did you know you can win exciting prizes by commenting on WPBeginner?
Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
You can get more details about the contest from here.
Start sharing your thoughts below to stand a chance to win!