Help/plugin
plugin

Login security: brute-force protection

Updated May 11, 2026 6 views 0 found this helpful

Brute-force attacks are the #1 most common attack against WordPress sites. PowerSEC blocks them before they can guess your password.

How brute-force attacks work

A bot tries thousands of username + password combinations against /wp-login.php and /xmlrpc.php. Common patterns:

  • Dictionary attacks — common words like "password123", "admin"
  • Credential stuffing — leaked passwords from other breaches
  • Targeted attacks — guessing your name, kids, pets, birthday

How PowerSEC blocks them

Layer 1: rate limiting per IP

After N failed attempts (default 5) from one IP within M minutes (default 15), the IP is blocked for L minutes (default 60). Configurable per site.

Layer 2: lockout per username

After N failed attempts against one username, that account is locked for L minutes regardless of source IP. Prevents distributed attacks.

Layer 3: hostile IP blacklist

Known attacker IPs (from PowerSEC's threat intel feed) are blocked at the firewall — they never reach /wp-login.php at all.

Layer 4: 2FA (Pro)

Even if an attacker guesses the password, they can't log in without the code from your phone.

Layer 5: CAPTCHA on suspicious requests

After N failures, subsequent login attempts require solving a CAPTCHA. Bots fail this; humans pass easily.

Configuration

WP admin → PowerSEC → Login Security:

  • Failed attempts threshold — default 5
  • Time window — default 15 minutes
  • Lockout duration — default 60 minutes
  • Notify on lockout — email when an IP is blocked (useful for monitoring)
  • xmlrpc.php protection — block xmlrpc by default unless you actively use it

When you get locked out (false positive)

If you accidentally lock yourself out:

  1. Wait for the lockout to expire (default 60 min)
  2. Or: log into PowerSEC Central → Sites → your site → "Unlock IP" action
  3. Or: SSH into your server and delete the lockout file: wp-content/powersec-lockouts/<IP>.json

Recommended settings by site type

Site type Failed attempts Time window Lockout
Personal blog 5 15 min 60 min
Business site 3 10 min 60 min
E-commerce 3 10 min 30 min (allow staff retries)
High-security 3 5 min 24 hours + 2FA

What if you can't enable lockouts?

Some hosts (esp. shared hosting) have caching layers that hide the real client IP. If lockouts seem to affect everyone:

  1. Check your Trust Proxy settings (PowerSEC → Settings → Advanced)
  2. Set X-Forwarded-For trust correctly for your CDN/load balancer
  3. Or: use per-username lockout only instead of per-IP

For Cloudflare users, see Cloudflare integration setup.

Couldn't find what you're looking for?

Browse more articles or reach out to our support team.

Browse all articles Email support