WordPress Login Security That Never Locks You Out

Progressive rate limiting stops brute force attacks while protecting legitimate users. No instant blocks, no admin lockouts, no downtime.

Download Free PluginView Documentation

Understanding WordPress Brute Force Attacks

Brute force attacks attempt thousands of username/password combinations to gain unauthorized access to wp-admin.

How Attacks Work

  • 1.Automated bots scan for WordPress sites
  • 2.Try common usernames (admin, user, site name)
  • 3.Test thousands of password combinations
  • 4.Attempt 10-100+ logins per minute
  • 5.Continue until blocked or successful

Why They Succeed

Weak Passwords

Common passwords like password123, admin123, or sitename2024 are cracked instantly.

No Rate Limiting

Without protection, attackers can try unlimited login attempts without consequences.

Predictable Usernames

Default usernames like admin or user reduce the attacker's work by 50%.

How Saurity Protects WordPress Logins

Multi-layered defense using progressive rate limiting, intelligent delays, and fail-safe mechanisms.

1

Per-IP Rate Limiting

Tracks failed login attempts per IP address using a sliding window algorithm. Default: 5 attempts per 10 minutes before throttling begins.

Technical: Uses WordPress transients for high-performance counting without database overhead. Automatically resets after the time window expires.

2

Progressive Delays

After rate limit threshold, each failed attempt adds an exponential delay:

Attempt 6

2s delay

Attempt 7

4s delay

Attempt 8

8s delay

Attempt 9

16s delay

Exponential delays make brute force attacks impractically slow while rarely affecting legitimate users.

3

Hard Blocking (Last Resort)

Only after extreme abuse (20+ failed attempts), the IP is temporarily blocked for 1 hour. This is rare and only catches persistent automated attacks.

Note: Hard blocks are deliberately conservative. The goal is deterrence through delays, not aggressive blocking.

Activity Logging

All login attempts (success and failure), throttled requests, and blocks are logged in human-readable format.

Failed login for user 'admin' from IP 192.168.1.1
Login throttled for IP 192.168.1.1 (6 attempts)
IP 192.168.1.100 hard blocked after 25 attempts
Successful login for user 'john'

Zero Admin Lockout Guarantee

Multiple fail-safes ensure you always have access to your WordPress admin.

Emergency recovery flowchart showing multiple fail-safe mechanisms including bypass URL, kill switch, and auto-disable protection

Emergency Bypass URL

Secret URL shown on activation that bypasses all protection. Bookmark it for emergency access.

Global Kill Switch

One-click disable in Settings → SAURITY. Instantly turns off all enforcement without deactivating the plugin.

Auto-Disable Protection

If admin lockout is detected, Saurity automatically disables itself. Your site accessibility comes first.

File System Recovery

Simply rename the plugin folder via FTP/SSH to disable completely. No database changes needed.

Fail-Open Architecture

If Saurity encounters any error or uncertainty, it always fails open (allows access) rather than failing closed (blocking access). This is fundamental to the zero-lockout guarantee.

Frequently Asked Questions

What is WordPress login security?

WordPress login security protects your wp-admin area from unauthorized access using techniques like rate limiting, progressive delays, and IP-based blocking to prevent brute force attacks while maintaining accessibility for legitimate users.

How does Saurity prevent brute force attacks?

Saurity uses progressive rate limiting with exponential delays. After 5 failed attempts in 10 minutes, each subsequent attempt is delayed by 2 seconds exponentially. After 20 attempts, the IP is hard-blocked for 1 hour. This stops automated attacks while rarely affecting real users.

Will Saurity lock me out of my WordPress admin?

No. Saurity has a zero admin lockout guarantee with multiple fail-safes: automatic disable on lockout detection, emergency bypass URL, global kill switch, and fail-open architecture. If something goes wrong, Saurity disables itself rather than blocking access.

What is progressive rate limiting?

Progressive rate limiting adds increasing delays after failed login attempts rather than blocking immediately. This approach reduces false positives (legitimate users with typos) while still effectively stopping brute force attacks through exponential time penalties.

How is Saurity different from other WordPress security plugins?

Saurity prioritizes stability over features. Unlike plugins that instantly block IPs or require CAPTCHA, Saurity uses progressive delays, fail-safe architecture, and includes emergency recovery tools. It focuses solely on login security without bloat.

Configurable Settings

All rate limiting parameters are adjustable in Settings → SAURITY.

Rate Limit Attempts

Number of failed attempts before throttling

Range: 1-20 attempts • Default: 5

Rate Limit Window

Time window for counting attempts

Range: 60-3600 seconds • Default: 600 (10 min)

Hard Block Threshold

Attempts before hard blocking IP

Range: 10-100 attempts • Default: 20

Hard Block Duration

How long to block after threshold

Range: 300-86400 seconds • Default: 3600 (1 hour)

Progressive Delay

Base delay for exponential backoff

Range: 1-10 seconds • Default: 2

Kill Switch

Globally disable all enforcement

Toggle: On/Off • Default: Off

Protect Your WordPress Logins Today

Free, open source, and designed to never lock you out. Install Saurity and stop worrying about brute force attacks.

Download PluginEmergency Recovery Guide

Learn More

Rate Limiting Explained

Deep dive into sliding window rate limiting and why it works better than instant blocking.

Read more →

Full Documentation

Complete installation, configuration, and troubleshooting guide on GitHub.

Read docs →

Get Support

Have questions? Report issues or get help from the community on GitHub.

Open issue →