Save 15% with code 
Brute Force Protection
Login attempt limits, lockout durations, bot protection, auto-blacklist, and XML-RPC/REST API hardening.
Last updated Feb 21, 2026
Overview
Brute force attacks are automated attempts to guess your WordPress login credentials by trying thousands of username and password combinations. These attacks target wp-login.php and xmlrpc.php, hammering your site with rapid-fire login requests.
ArmorPro's brute force protection monitors login attempts, blocks IPs that exceed your configured threshold, and optionally auto-blacklists repeat offenders. It also includes bot detection to filter out automated attacks before they even reach the login handler.
Master toggle
Brute force protection is controlled by a single master toggle at the top of the Brute Force tab. When disabled, no login attempts are tracked and no lockouts are applied. All other brute force settings are hidden until the master toggle is enabled.
Login attempt settings
Failed attempts before lockout
This controls how many failed login attempts are allowed before the IP is temporarily blocked. Available options:
- 2 attempts — Maximum security, may cause false positives
- 3 attempts — Default, good balance of security and usability
- 5 attempts — More lenient, recommended for sites with many users
- 10 attempts — Most lenient, suitable for membership sites
Lockout duration
When an IP exceeds the failed attempt limit, it is temporarily blocked for the configured duration. Options include:
- 5 minutes
- 10 minutes
- 15 minutes (default)
- 30 minutes
- 1 hour
- 2 hours
After the lockout expires, the IP can attempt to log in again. If they continue to fail, a new lockout is applied.
Session tracking
ArmorPro tracks login sessions using a combination of IP address, user agent, and the current hour. If there is no activity from a session for 60 minutes, the failed attempt counter resets. This prevents stale sessions from accumulating lockouts over extended periods.
Error message
When a user is blocked due to too many failed attempts, they see a message informing them that their IP has been temporarily locked out and how long they must wait before trying again.
Bot protection
Bot protection adds a layer of detection that runs before the brute force login handler. This means automated bots are blocked without polluting your login activity log with noise.
Bot protection is off by default and can be enabled in the Brute Force settings. When enabled, it applies the following checks to login, registration, and lost password forms:
- Honeypot field — An invisible form field that real users will not fill in. Bots that auto-complete all fields are caught instantly.
- Timestamp validation — Submissions that arrive in under 2 seconds are rejected. No human can type credentials that fast.
- JavaScript token verification — A token is generated client-side via JavaScript. Bots that submit forms without executing JavaScript fail this check.
- Nonce validation — A WordPress nonce is embedded in the form and verified on submission to prevent replay attacks.
Tip
Bot protection is lightweight and invisible to real users. It requires no CAPTCHAs or user interaction. Enable it to dramatically reduce the number of automated login attempts that reach your brute force handler.
Auto-blacklist repeat offenders
IPs that are repeatedly locked out can be automatically added to the permanent blacklist. This is configured with two settings:
Auto-blacklist threshold
The number of lockouts an IP must accumulate before being permanently blacklisted. Options: disabled (default), 3, 5, 10, 15, or 20 lockouts.
Auto-blacklist expiry
How long the auto-blacklist entry lasts. Configurable from 1 to 365 days, with a default of 30 days. After expiry, the IP is removed from the blacklist and can attempt to log in again.
Auto-blacklisted IPs appear in the Access Control blacklist with a note showing Auto: X blocks so you can distinguish them from manually added entries.
XML-RPC protection
XML-RPC (xmlrpc.php) is a legacy WordPress API that is frequently abused for brute force and DDoS amplification attacks. ArmorPro disables XML-RPC by default, returning a 403 Forbidden response to all XML-RPC requests.
If you rely on XML-RPC for a specific integration (such as the WordPress mobile app or Jetpack), you can disable this protection in the Brute Force settings.
REST API protection
The WordPress REST API exposes endpoints that can reveal usernames, post data, and other site information. ArmorPro can block REST API access for non-logged-in visitors. This setting is off by default because many plugins and themes rely on the REST API for front-end functionality.
Important
Enabling REST API protection may break front-end features that depend on the REST API, such as the block editor for logged-out previews, contact form plugins, or headless WordPress setups. Test thoroughly before enabling.
Login activity log
The login activity log provides a real-time view of all login-related events on your site. It is located at the bottom of the Brute Force tab.
Log columns
| Column | Description |
|---|---|
| IP | The IP address of the login attempt |
| Location | Country name and flag based on GeoIP lookup |
| Status | Color-coded badge: Lockout (red), Failed (yellow), Login (green) |
| Details | Username attempted, failure reason, or successful login info |
| Time | When the event occurred |
| Actions | Unblock IP or Whitelist IP buttons |
Filters and pagination
Filter the log by status: All, Lockouts, Failed, or Logins. The log shows 10 rows at a time with a Load More button for additional entries. You can also export the full log as a CSV file.
Actions
Each log entry includes two action buttons:
- Unblock IP — Removes the current temporary lockout so the IP can attempt to log in again. Does not prevent future lockouts.
- Whitelist IP — Adds the IP to the permanent whitelist in Access Control. Whitelisted IPs bypass all security checks.
If your own IP triggers repeated failures, ArmorPro will suggest whitelisting it to prevent accidental lockouts.
Tip
Whitelist your own IP address in Access Control before tightening brute force settings. This ensures you will never lock yourself out, even if you mistype your password.
Important
Reducing the failed attempts threshold too aggressively (for example, to 2) can lock out legitimate users who simply mistype their password. The default of 3 provides a good balance for most sites.