WordPress Login Cool Down – Stops brute force attacks on WordPress the easy way

By 8th August 2013 April 21st, 2020 Shield Security

There’s no shortage of news on WordPress brute-force hacking attempts.

Out-of-the-box, WordPress places no limits on the login page.

This makes WordPress vulnerable to brute force attacks.

So how can you prevent brute-force attacks against your WordPress website?

It’s easy…

WordPress Login Cool Down – Blocks ALL Brute Force Login Attacks

There are numerous plugins that try to prevent hacking your site.

Some are complicated and bloated, while others are just complicated.

Our approach to WordPress security uses simple, highly effective techniques that don’t require any visitor analysis.

Our method places some hard limits on the WordPress login itself, without impacting the user experience.

One such technique is a WordPress Login Cool Down.

Think about it, how often does anybody login into your WordPress site?  Not very often… so the chances of 2 people attempting to login at the same time are very slim.

The login cool down feature is based on this fact, as follows:

  1. When someone makes a login attempt to WordPress we start a countdown timer, let’s say 30 seconds.
  2. Then, when anyone else attempts to login to the site, before checking user login credentials we check the timer.
  3. If this login attempt falls within the cool down period (30 seconds) we immediately exit the login authentication process.

In this way, we effectively restrict WordPress user logins to once every 30 seconds.

WordPress Login Cool Down Feature

WordPress Login Cool Down Feature Option

No more brute force attacks!

Can you explain exactly how WordPress Login Cool Down prevents brute-force attacks?

Sure- Brute force attacks work by trying to log into WordPress 10s, 100s, 1000s of times a second until eventually the correct username + password combination is discovered.

If this doesn’t overwhelm a web server, the hacker can keep guessing your login details for hours.

Not so with a login cool down!

Imagine you limit the login cool down period to just only 1 second.

You immediately limit login attacks from 100s/second to 1/s.

That, believe it or not, is probably enough to prevent almost any brute force attack as they rely on 100,000s of attempts over a sustained period of time.

But to be extra safe, you’ll want to set it to something like 30 seconds minimum.

Does the plugin “block” or “ban” IP addresses?


There are 2 main problems with blocking IPs:

  • Processing and list maintenance – you can’t maintain that data across all your sites, and each login attempt puts further load on your databases while it looks up IPs.
  • IP ban lists don’t actually work in certain scenarios. Why? Because if your site is being hammered from a bot-net (a network of hundreds/thousands of computers) they can attack your site by sending the login requests from different IP addresses. In this case, IP ban lists are completely useless!

Login Cool Down is effective because you simply can’t brute force attack the site no matter where the traffic is coming from.

How to get WordPress Login Cool Down?

This feature was designed and written by us and integrated into our WordPress Simple Firewall plugin that is freely downloaded from WordPress.org.

This plugin also features other security and firewall functions to protect your site:

Combing these features adds unsurpassed protection to your WordPress sites!

Join the discussion 2 Comments

  • Keith Davis says:

    Hi Paul
    Clever idea and I note that you recommend a cooldown period of 30 seconds.
    The default setup on the WSF plugin is 5 seconds.
    Do you think that 5 seconds is too short?

    I’m using WSF plugin on all my sites.
    Easy to setup, full of great features and good support in the WordPress forum.

    View Comment
    • Paul G. says:

      Hi Keith,

      I put in a 5s default so that it wasn’t too high to annoy folks that don’t usually change default settings.

      I think the longer you can set it, the better. Obviously though, the higher you go, the less payoff, but 30 seconds is a good number, and if you can go for higher, you should. It really depends on how many users you’re likely to have logging in because this cooldown is not per-user, but for the whole site.

      I’m delighted to hear you’ve been have a great experience with the plugin – we love to hear that! 🙂

      Thank you!

      View Comment

Leave a Reply