Title: Protect Login
Author: Simon Kraft
Published: <strong>22.8.2024</strong>
Last modified: 28.6.2026

---

Hae lisäosia

![](https://ps.w.org/protect-login/assets/icon.svg?rev=3297390)

# Protect Login

 [Simon Kraft](https://profiles.wordpress.org/krafit/)

[Lataa](https://downloads.wordpress.org/plugin/protect-login.1.5.1.zip)

[Live Preview](https://fi.wordpress.org/plugins/protect-login/?preview=1)

 * [Tiedot](https://fi.wordpress.org/plugins/protect-login/#description)
 * [Arvostelut](https://fi.wordpress.org/plugins/protect-login/#reviews)
 *  [Asennus](https://fi.wordpress.org/plugins/protect-login/#installation)
 * [Kehitys](https://fi.wordpress.org/plugins/protect-login/#developers)

 [Tuki](https://wordpress.org/support/plugin/protect-login/)

## Kuvaus

Out of the box, WordPress allows unlimited attempts to log in. This opens up opportunities
for attackers to crack passwords simply by trying over and over again. This kind
of attack is called brute-force, and _Protect Login_ mitigates this by slowing down
the login after a series of subsequent failed attempts.

But we did not stop there. We’re also working on ways to improve the security of
your WordPress passwords. Currently, we do this by allowing you to enforce a password
policy to make sure your users don’t use weak passwords for their accounts.

## Asennus

 1. Upload the plugin files to the `/wp-content/plugins/protect-login` directory, or
    install the plugin through the WordPress plugins screen directly.
 2. Activate the plugin through the ’Plugins’ screen in WordPress.
 3. The default settings will be applied automatically. To change them, navigate to**
    Settings > Protect Login**

## UKK

### Who are you folks?

We’re Thomas and Simon, two WordPress enthusiasts, with the dearing crazy idea to
offer a good plugin without asking for your money or attention.

Our initial work on **Protect Login** was sponsored by [group.one](https://www.group.one/).

### Why did you build this plugin?

We care about WordPress and keeping WordPress sites secure. So we decided it was
time to take the code of the original Limit Login Attempts plugin and build on top
of it.
 We did this for you. Protect Login is 100% free and will not bother you 
with nasty upsells or scare marketing. You have better things to do, don’t you?

### Why not reset failed attempts on a successful login?

This is very much by design. Otherwise, you could simply brute force the ”admin”
password by logging in as your own user every 4th attempt.

### How do I know if my site is behind a reverse proxy?

If you’re not sure about this, chances are your site is not behind a reverse proxy.
However, Protect Login’s settings offer an option to activate proxy mode.
 A reverse
proxy is a server between the site and the Internet (perhaps handling caching or
load-balancing). This makes getting the correct client IP to block slightly more
complicated.

### Can I put my IP on an allowlist to avoid getting locked out?

Yes, there is an allowlist tab in Protect Login’s settings.

### I locked myself out while testing this plugin; what do I do?

Either wait until your account/IP is unblocked, or if you have FTP or SSH access
to the site, rename it ”wp-content/plugins/protect-login” to deactivate the plugin.

### Do you support IPv6 addresses?

Yes, if the webserver passes an IPv6 address to your WordPress installation, the
plugin has no problems to handle IPv6 from 1.2.0.

### Where do I report security bugs found in this plugin?

Please report security bugs found in the source code of the Protect Login plugin
through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/8f993618-835b-4951-ac1b-0efa35062d9b).
The Patchstack team will assist you with verification, CVE assignment, and notify
the developers of this plugin.

## Arvostelut

![](https://secure.gravatar.com/avatar/ebf24a46b59868038e2124a56a0d272ab24bb0731a0c1774763717f0ce403a6f?
s=60&d=retro&r=g)

### 󠀁[The plugin makes a lean and clear impression!](https://wordpress.org/support/topic/the-plugin-makes-a-lean-and-clear-impression/)󠁿

 [Michael](https://profiles.wordpress.org/michael-luther/) 20.11.2024

Compared to “Limit Login Attempts Reloaded”, it makes a lean and clear impression
without any frills. PS: After several weeks of use, I can say that it works reliably
on multiple websites.

![](https://secure.gravatar.com/avatar/5706550a5b705b844cfcacac6f96493d9184c0fe21b44d260df307e8de667a4e?
s=60&d=retro&r=g)

### 󠀁[It does exactly what it should](https://wordpress.org/support/topic/it-does-exactly-what-it-should-4/)󠁿

 [Jonas](https://profiles.wordpress.org/elbsegler/) 22.9.2024

It does exactly what it’s supposed to.Thank you for this plugin. It’s very nice 
not to be bombarded with ads.

 [ Lue kaikki 2 arvostelua. ](https://wordpress.org/support/plugin/protect-login/reviews/)

## Avustajat & Kehittäjät

“Protect Login” perustuu avoimeen lähdekoodiin. Seuraavat henkilöt ovat osallistuneet
tämän lisäosan kehittämiseen.

Avustajat

 *   [ Simon Kraft ](https://profiles.wordpress.org/krafit/)
 *   [ Thomas Günther ](https://profiles.wordpress.org/tidschi/)

“Protect Login” has been translated into 1 locale. Kiitoksia [kääntäjille](https://translate.wordpress.org/projects/wp-plugins/protect-login/contributors)
heidän työstään.

[Käännä “Protect Login” omalle kielellesi.](https://translate.wordpress.org/projects/wp-plugins/protect-login)

### Oletko kiinnostunut kehitystyöstä?

[Browse the code](https://plugins.trac.wordpress.org/browser/protect-login/), check
out the [SVN repository](https://plugins.svn.wordpress.org/protect-login/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/protect-login/) 
by [RSS](https://plugins.trac.wordpress.org/log/protect-login/?limit=100&mode=stop_on_copy&format=rss).

## Muutosloki

#### 1.5.0

 * Bugfix: Locking out an IP address no longer clears all other active lockouts.
 * Bugfix: Remote API list synchronisation now runs as intended (the previous check
   never triggered a sync); local block-/allowlist entries are no longer lost when
   merging with remote lists.
 * Bugfix: Remote API calls now use the correct endpoint paths, so block, allow,
   release and list operations work against a paired site.
 * Bugfix: Lockout times in the settings list and WP-CLI output now use the site’s
   configured time zone instead of always showing UTC.
 * Bugfix: Corrected the swapped ”your IP has (not) changed” message on the allowlist
   screen.
 * Bugfix: Reverse-proxy (”client type”) handling now works as configured, and falls
   back to the direct connection address when no valid forwarded address is present.
 * Bugfix: Hardened against division-by-zero and undefined-value notices when retry/
   notification thresholds are set to 0 or no attempts have been recorded yet.
 * Bugfix: Activation and uninstall routines are now registered against the main
   plugin file so they run reliably.
 * Improvement: The settings override filters now work as documented.
 * Improvement: Removed an unnecessary PHP session start on every authentication
   and a redundant database write on every admin page load.
 * Improvement: Added `Text Domain` and `Domain Path` plugin headers and a translation
   template.
 * Development: Codebase migrated to new Coding Standard.

#### 1.4.7

 * Bugfix: Fixed Bug in at-a-glance widget

#### 1.4.6

 * Migration path of password strength rules
 * Tested with WordPress 6.8
 * Improvement: Added description texts to blocklist, allowlist and blocked-addresses
   list
 * Improvement: Added Copy-to-Clipboard for Remote API settings
 * Improvement: One-Click auto-generate for Remote API key

#### 1.4.5

 * Bugfix: Error message ”Invalid credentials” was displayed, when wp-login.php 
   ist called directly or hidden by renaming of Admin Login URL

#### 1.4.4

 * Bugfix: Fixed issue an invalid login was recognize on logging out from WP
 * Bugfix: Fixes issue error message always was ”too many failed login attempts”
   even when it was the first trial

#### 1.4.3

 * Bugfix: Fixed button ”Add IP address to allowlist and release”
 * Bugfix: Fixed displaying setting in ”At a glance widget”

#### 1.4.2

 * Removed ”Your IP address” on blocklist tab
 * Added headlines on allowlist, blocklist and blocked ip addresses
 * Removed .github dir

#### 1.4.1

 * Bugfix: Fixed issue that prevented ”Add own ip address to allowlist” from working
 * Auto re-create WP sessions on activating plugin
 * Bugfix: Fixed issue on creating session cookie on multisite

#### 1.4.0

 * Automatically clean up the locked-out list a week after IP addresses have been
   cleared
 * Improve the design of empty IP lists
 * Add own IP v6 / IPv6 – Address to allowlist
 * Check for blocked IP on XML-RPC
 * Bugfix: Fixed issues that prevented the plugin from discovering that it runs 
   on a multisite
 * Bugfix: Compatibility fixes to PHP 7.4
 * Bugfix: Removed ending slashes from Rest API namespaces

#### 1.3.1

 * Bugfix: Improved error handling if non-numeric value is stored in wp_options
 * Cleanup: Removed leading whitespace in translation file for widget
 * Bugfix: Settings visible on multisite if name of the plugin directory is not ”
   protect-login”
 * Bugfix: An error occurred on WP multisites with enabled WP_DEBUG, because of 
   too early load of translation files
 * Moved ”settings” sections to admin_init – action
 * WP 6.7 compatibility

#### 1.3.0

 * Count of currently locked-out address visible in ”At a glance” Widget
 * Fixed bug on activation plugin through wp-cli in a multisite environment
 * Remote API support
 * Improved multisite support

#### 1.2.0

 * IPv6 support
 * Endpoints for WP-CLI
 * Added filter for password strength
 * ”Settings” link in plugin overview
 * Bugfix: string ”password too short” erroneous appeared in Quick Draft widget,
   removed.

#### 1.1.1

 * Removed unused strings
 * Added translator comments
 * Restructured some strings for easier translations

#### 1.1.0

 * Tested with WordPress 6.6
 * Added Multisite Support
 * Added filters to set protection levels programmatically
 * Fixed issue with timestamps always using UTC

#### 1.0.1

 * Fixed minor bugs

#### 1.0

 * Initial version
 * based on Limit Login Attempts 1.7.1 by Johan Eenfeldt

## Metatiedot

 *  Version **1.5.1**
 *  Last updated **3 päivää sitten**
 *  Active installations **600+**
 *  WordPress version ** 5.7 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 *  Languages
 * [English (US)](https://wordpress.org/plugins/protect-login/) ja [German](https://de.wordpress.org/plugins/protect-login/).
 *  [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/protect-login)
 * Tags
 * [authentication](https://fi.wordpress.org/plugins/tags/authentication/)[login](https://fi.wordpress.org/plugins/tags/login/)
   [security](https://fi.wordpress.org/plugins/tags/security/)
 *  [Edistynyt näkymä](https://fi.wordpress.org/plugins/protect-login/advanced/)

## Arvosanat

 5 out of 5 stars.

 *  [  2 5-star reviews     ](https://wordpress.org/support/plugin/protect-login/reviews/?filter=5)
 *  [  0 4-star reviews     ](https://wordpress.org/support/plugin/protect-login/reviews/?filter=4)
 *  [  0 3-star reviews     ](https://wordpress.org/support/plugin/protect-login/reviews/?filter=3)
 *  [  0 2-star reviews     ](https://wordpress.org/support/plugin/protect-login/reviews/?filter=2)
 *  [  0 1-star reviews     ](https://wordpress.org/support/plugin/protect-login/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/protect-login/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/protect-login/reviews/)

## Avustajat

 *   [ Simon Kraft ](https://profiles.wordpress.org/krafit/)
 *   [ Thomas Günther ](https://profiles.wordpress.org/tidschi/)

## Tuki

Viimeisen kahden kuukauden aikana ratkaistut ongelmat:

     0 / 2

 [Tukifoorumi](https://wordpress.org/support/plugin/protect-login/)