Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts
Limit Login Attempts Reloaded is a popular security plugin that protects you from brute force attacks. It can also block malicious IPs and process requests in the cloud, to keep your site running smoothly.
Have you used "Limit Login Attempts Reloaded" before? Add Your Review to help the community.


  • WordPress security plugin
  • Protect against brute force attacks
  • Limit login attempts and block users automatically
  • Deny by country
  • Process thousands of login attempts in the cloud
  • Automatically block malicious IP addresses
  • Email security notifications

WPBeginner users can save up to 58%!

Visit Limit Login Attempts Reloaded

(this discount will be applied automatically)

Limit Login Attempts Reloaded Review: The Right Security Plugin for You?

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Are you looking for a Limit Login Attempts Reloaded review to help you decide if it’s the right WordPress security plugin for you?

This plugin can identify potential brute force attacks and lock suspicious accounts automatically. It also has access to a database of known malicious IP addresses and will build a custom blocklist for your site automatically.

In this Limit login Attempts Reloaded review, we’ll look at this popular brute force protection plugin to see whether it’s right for you.

Limit Login Attempts Reloaded Review: Why Use It in WordPress?

Limit Login Attempts Reloaded Review: Why Use It in WordPress?

By default, WordPress allows an unlimited number of login attempts, which makes your site vulnerable to brute force attacks.

Limit Login Attempts Reloaded is a popular security plugin that helps combat these attacks. It monitors every time someone tries to log into your site using the same Internet Protocol (IP) address or username.

If this person or bot fails to login a certain number of times, then it will block that IP or username automatically, for a period time set by you.

Limit Login Attempts Reloaded Review: Why Use It in WordPress?

Going further, Limit Login Attempts Reloaded can track how many times the person gets locked out of your site. It will then increase the lockout interval following multiple failed attempts.

If you’re just getting started or have a limited budget, then you can download the lite version of Limit Login Attempts Reloaded from

The lite Limit Login Attempts Reloaded WordPress security plugin

This free plugin can block IP addresses and usernames automatically after a certain number of failed attempts. It will also notify you about suspicious activity, and display a privacy warning on the login page to help you comply with GDPR.

However, if you’re using the free version then the load caused by excessive brute fore attacks will count towards your hosting bandwidth. You may even get charged additional fees, depending on your WordPress hosting provider.

With that in mind, the premium plugin comes with a Performance Optimizer that can process excessive login requests in the cloud, without putting extra strain on your servers.

It also blocks known malicious IP addresses automatically, using data from over 10,000 websites in the Limit Login Attempts Reloaded network.

Limit Login Attempts Reloaded Review: The Right Security Plugin for Your WordPress Website?

Hackers may try to access your WordPress admin dashboard using brute force attacks.

The easiest way to protect against these attacks, is to limit how many times a user can attempt to login. With that said, let’s see if Limit Login Attempts Reloaded is the right security plugin for you.

1. Easy to Set Up

Limit Login Attempts Reloaded is easy to use. To start, you can install and activate it just like any other WordPress plugin.

The default settings should work well for most WordPress websites, so you’re protected against brute force attacks straight away. However, if you want to review and fine-tune these default settings, then the plugin has a single screen where you can make these changes.

The Limit Login Attempts Reloaded security settings

2. Customizable Lockout Settings

By default, this plugin will automatically block users for 20 minutes following 4 failed login attempts. However, you can change these settings to anything that works for your WordPress blog or website. For example, if you want to boost your website’s security, then you might allow fewer retries or increase the lockout time.

How to limit login attempts and protect against brute force attacks

You can also block users for a longer period of time, following multiple lockouts. For example, if a user gets blocked 4 times, then you might lock them out for 24 hours, as this is typically very suspicious behavior.

Finally, you can reset the lockout period once a certain period of time has passed since the last lockout incident. By trying different settings, you can find the perfect balance for your website, blog, or online store.

3. Display Remaining Login Attempts

Sometimes, genuine users may forget their password and risk getting locked out of their account. To help these legitimate users, Limit Login Attempts Reloaded will display how many login attempts they have left.

Viewing the remaining login attempts in the WordPress dashboard

Legitimate users can then take steps to avoid getting locked out of their account, such as recovering a lost password.

4. Built-in Denylist and Safelist

As already mentioned, Limit Login Attempts Reloaded has a denylist that can block certain usernames, IP addresses, or IP ranges, including IPV6 ranges.

Blacklisting IP addresses, IP ranges, and usernames

Even better, if you upgrade to the premium plugin, then Limit Login Attempts Reloaded will identify repeated failed login attempts. It will then automatically add these suspicious IP addresses or ranges to its denylist, to protect against future attacks.

Alternatively, Limit Login Attempts Reloaded has a safelist that you can use to whitelist IP addresses, ranges, and usernames that should never get blacklisted.

5. Deny By Country

Another option is to block logins based on country. For example, you might block regions that are known for high cybercrime activities.

You should also consider that many countries have strict data protection laws. With that said, you may decide to restrict access to certain countries, rather than trying to comply with every region’s unique data protection laws.

No matter your motivation, Limit Login Attempts Reloaded has pre-programmed country IP ranges. This allows you to block entire regions, simply by checking a box in the plugin’s settings.

Restricting access based on regions and geographical location

6. Synchronize Lockouts and Blocklists

Do you run multiple websites? Then you can share your lockout data, IP rules, safelist, and denylist between all your domains. This helps to keep all your websites safe, while making network administration much easier.

Even better, if you add a new WordPress website to your network then it’ll immediately inherit all your rules and settings.

Going further, you can view all login activity and user activity across multiple sites, from the same admin dashboard. This makes it easy to spot trends or recurring problems you need to address.

7. Automatic IP Data Backups

The premium Limit Login Attempts Reloaded plugin automatically stores all your active IP data in the cloud, without requiring any manual configuration or maintenance. This means you don’t need to worry about losing this information, and can access your data from any location.

8. Data From 10,000+ Websites

Limit Login Attempts Reloaded collects IP data from thousands of websites in its network, and then uses this information to proactively identify and block potential brute force attacks.

In this way, you can block attacks before they happen.

9. Optimized for Performance

A brute force attack can easily drain your local server resources, especially if that attack is automated. This can affect your website’s performance, and you may even incur extra fees depending on your hosting provider.

Poor performance is bad news for any website, but if you run an online marketplace then it may stop customers from making a purchase. In this way, a brute force attack can immediately affect your income.

The good news is that Limit Login Attempts Reloaded can detect, counter, and block malicious login attempts in the cloud. In this way, you can protect your server resources and avoid extra charges. In addition, your website will continue to work normally and load quickly, even when it’s facing a brute force attack.

10. Automatic Email Alerts

Occasionally, legitimate users may get locked out of their account due to a genuine mistake. However, if the same user gets locked out multiple times then you’ll typically want to know about it. With that said, Limit Login Attempts Reloaded will notify you if the same user gets locked out multiple times.

How to send email notifications about security breaches

In this way, you can react to suspicious behavior straight away and help keep your website safe. Limit Login Attempts Reloaded can send these notifications to any email address, and will even send a test message to check that these alerts are working correctly.

Pro Tip: If you don’t receive the test email, then it usually means your WordPress hosting provider hasn’t properly configured the PHP mail() function. In that case, we recommend using an SMTP service provider and SMTP plugin to send these messages instead.

11. Detailed Logs

Brute force attacks often come from the same IP address, IP range, or username. In that case, it makes sense to identify these attackers and add them to a blocklist.

The good news is that Limit Login Attempts Reloaded automatically tracks every lockout that happens across your website. You can review this information at any point, and then add those users to the plugin’s denylist.

These reports also record the denied IP address, the region it’s from, the lockout duration, and more. You can then use this insight to improve your WordPress security. For example, you might decide to block IP addresses originating from a certain region, or change the lockout duration.

12. Unlock Site Admin

If you type the wrong password too many times, then you may get locked out of your WordPress admin account.

Although this sounds daunting, you can easily recover an account by logging into the Limit Login Attempts Reloaded billing dashboard. Here, simply add your IP address safelist, and you’ll once again have access to your admin account.

Alternatively, if you upgrade to the premium plugin then Limit Login Attempts Reloaded’s team of experts can help you regain admin access. For more on this topic, please see our guide on what to do when you’re locked out of WordPress admin.

13. Avoid Mass User Lockout

Proxy domain servers like CloudFlare, Sucuri, and Nginx may replace a user’s IP address with their own. This means all users will get the same IP address, so blocking one user is the same as blocking all users.

Thankfully, Limit Login Attempts Reloaded can intelligently recognize non-standard IP origins and handle them correctly. If you’re using the premium plugin, then it will handle this situation automatically. Alternatively, if you’re using the free plugin then you can fix this problem using the Trusted IP Origin setting.

How to whitelist IP addresses

14. Export Data

At some point, you may need to share your Limit Login Attempts Reloaded data with people who don’t have access to the WordPress dashboard.

We don’t recommend adding new users simply to share information with other people, as it’s bad for WordPress security. Instead, Limit Login Attempts Reloaded allows you to download IP data as a CSV file, ready to share with other people.

15. Helps With GDPR Compliance

GDPR is a European Union law that aims to give EU citizens more control over their data. If you violate this important privacy law then you may get a fine, or even jail time.

Thankfully, Limit Login Attempts Reloaded lets you display a privacy message on your site’s login screen. By default, this message warns users that their IP address and browser information might be processed by your site’s security plugins.

An example of a privacy and GDPR compliance warnings, on a WordPress blog or website

This helps you comply with GDPR, by clearly stating that you may collect the visitor’s personal data for security purposes.

You can toggle this message on and off in the plugin’s settings, and can even replace it with your own messaging.

How to create a GDPR compliant WordPress blog, website, or online store

This feature also supports shortcodes, so you can go one step further and add a link to your site’s privacy policy, or similar.

16. Disable XMLRPC 

XML-RPC is a core WordPress API that allows users to connect to your site using third-party apps, tools, and services. In short, you need XML-RPC enabled to access and publish your blog remotely, such as when you want to use a mobile app to manage your site or connect to automation services like Zapier and Uncanny Automator.

Unfortunately, hackers can gain access to WordPress by exploiting XML-RPC. For that reason, many security experts advise you to disable XML-RPC unless you’re actively using it.

By default, Limit Login Attempts Reloaded will disable XML-PRC on your website, which will help keep your site safe.

17. WordPress Multisite Compatible

Are you using a WordPress multisite network?

Then you’ll be happy to learn that Limit Login Attempts Reloaded supports multisite and even has extra multisite settings.

18. Community and Professional Support

Limit Login Attempts Reloaded is designed to use out-of-the-box, with settings that work well for most WordPress websites. However, brute force attacks are a serious threat, so you may need extra help to secure your site.

With that said, Limit Login Attempts Reloaded has a series of guides that cover important security topics such as how to fix a hacked website, and whether you should change the WordPress ‘admin’ username.

An example of an online knowledge base

Beyond that, there’s online documentation that you can access 24/7, and a blog.

On the blog, you’ll find a range of tutorials and guides, plus the company’s expert pick of the must have WordPress plugins you may want to use alongside Limit Login Attempts Reloaded.

An example of a security-focused WordPress blog

If you have the free plugin, then you can post to the Limit Login Attempts Reloaded forum on, and get answers to basic questions.

When posting to public support forums, it’s always a good idea to include as much information as possible, so the experts can understand your problem quickly and post a helpful response. For more on this topic, please see our guide on how to properly ask for WordPress support.

Do you prefer one-on-one support? All the premium plans include professional email support, so you can get help directly from the experts.

Limit Login Attempts Reloaded: Pricing and Plans

If you’re just getting started or have a limited budget, then you can download the core Limit Login Attempts Reloaded plugin from

With this free plugin, you can change the number of failed login attempts before a user gets locked out. You can also change how long the user remains blocked from their account. However, if you want more advanced features then you’ll need to upgrade to the premium plugin.

The Limit Login Attempts Reloaded pricing and plans

There are 4 plans to choose from:

  • Premium. For $3.33 per month, this plugin can process up to 100k requests in the cloud. It will also automatically block known malicious IPs from accessing your login page and create a detailed log.
  • Premium Plus. Priced at $4.58 per month when billed annually, this plan can process up to 200k requests per month. You can also deny requests from specific regions, thanks to a list of pre-programmed IP ranges. With that said, this is a great plan for websites that get lots of traffic.
  • Professional. For $6.67 per month, this plan will automatically add malicious IPs to your denylist. The Performance Optimizer can also process up to 300k requests per month, so your pages will load quickly even when your site is under heavy attack.
  • Agency. Priced at $18.75 when billed annually, this plan can process up to 100k requests per domain name. You can also easily add and remove domains, so it’s perfect for WordPress development agencies or anyone who manages multiple sites. Alternatively, you can resell this plan to clients, which is ideal if you’re starting your own online business.

Limit Login Attempts Reloaded Review: The Right Security Plugin for Your WordPress Website?

After looking at the features, support options, and pricing, we’re confident that Limit Login Attempts Reloaded is a great security plugin.

It can help protect your site against brute force attacks by automatically blocking suspicious users. It also collects data from thousands of websites in its network and uses that information to identify and block malicious IP addresses on your website.

Beyond that, Limit Login Attempts Reloaded helps you comply with GDPR and other important privacy laws. It can also keep your site running normally even when it’s under attack, by processing thousands of login attempts in the cloud.

We hope this Limit Login Attempts Reloaded review helped you decide whether it’s right for your WordPress website. You can also check out our guide on how to track visitors to your WordPress site, or see our expert pick of the best analytics solutions.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

WPBeginner users can save up to 58%!

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Reader Interactions

1 User ReviewAdd Your Review

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

Leave A Review

Thanks for choosing to leave a review. Please keep in mind that all reviews are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Your Rating: