PluginsArmorProCitedProBoostPro
PricingDocsBlogAboutGet Started

Brute Force Protection

Configure login attempt limits, lockouts, and IP blocking.

Last updated Feb 3, 2025

How Brute Force Attacks Work

Brute force attacks are automated attempts to guess your login credentials. Attackers use scripts to rapidly try thousands of username/password combinations until they find one that works.

Without protection, WordPress will allow unlimited login attempts from any IP address. ArmorPro stops this by:

  • Tracking failed login attempts per IP address
  • Temporarily blocking IPs after too many failures
  • Increasing lockout duration for repeat offenders
  • Logging all activity for your review

Configuration

Go to ArmorPro → Brute Force to configure protection settings.

Failed Attempt Threshold

The number of failed login attempts before an IP is locked out.

  • Default: 5 attempts
  • Recommended range: 3-10 attempts

Lower values are more secure but may inconvenience users who mistype their password. Higher values are more lenient but give attackers more guesses.

Lockout Duration

How long an IP is blocked after exceeding the failed attempt threshold.

  • Default: 15 minutes
  • Recommended range: 15-60 minutes

Extended Lockout

After multiple lockouts from the same IP, the lockout duration increases.

  • Default: 60 minutes after 3 lockouts

This discourages persistent attackers who wait out the initial lockout period.

Reset Period

How long before failed attempt counts reset for an IP.

  • Default: 60 minutes

If an IP makes 3 failed attempts, then waits longer than the reset period, their count goes back to zero.

Viewing Login Activity

Go to ArmorPro → Logs → Login Activity to see all login attempts.

Each entry shows:

  • Date/Time: When the attempt occurred
  • Username: The username that was tried
  • IP Address: Source of the attempt
  • Status: Success, Failed, or Blocked
  • Location: Approximate geographic location (Pro)

Managing Blocked IPs

When an IP is temporarily blocked, it appears in the blocked list with a countdown showing when the block expires.

You can manually:

  • Unblock: Remove the temporary block immediately
  • Whitelist: Permanently allow the IP (useful if you accidentally locked yourself out)
  • Blacklist: Permanently block the IP (Pro feature)

Locked Out?

If you lock yourself out, wait for the lockout to expire, access your site via FTP/SFTP and temporarily rename the plugin folder, or ask someone with server access to whitelist your IP in the database.

Auto-Blacklist (Pro)

With ArmorPro Pro, you can automatically permanent-ban IPs that repeatedly trigger lockouts.

Go to ArmorPro → Brute Force and enable Auto-Blacklist.

  • Threshold: Number of lockouts before auto-blacklisting (default: 5)

Auto-blacklisted IPs are added to your permanent blacklist and will never be able to access your site again (unless manually removed).

Best Practices

  • Always whitelist your own IP — Prevents accidental lockouts during testing
  • Use strong passwords — Brute force protection is a safety net, not a replacement for good passwords
  • Enable 2FA (Pro) — Two-factor authentication makes brute force attacks pointless
  • Review logs regularly — Spot patterns and persistent attackers
  • Don't set thresholds too low — 1-2 attempts is too aggressive for legitimate users
Previous← Getting StartedNextFirewall & Rule Management →