Home Plugin Docs Consulting About Blog Get in Touch

← CloudScale Plugin Help/CloudScale Cyber and Devtools – Free WordPress Security, AI Penetration Testing & Developer Toolkit

Brute-Force Protection

Locks an account temporarily after a configurable number of consecutive failed login attempts. Protection is per-username rather than per-IP, so distributed attacks spread across thousands of IP addresses are blocked just as effectively as single-source attacks.

WordPress brute force login protection with account lockout and username enumeration blocking

🔒 Stop Credential-Stuffing Attacks at the Login Form

Automated bots try thousands of username/password combinations against every reachable WordPress login page. Brute-force protection locks an account after a configurable number of failed attempts, making mass credential-stuffing attacks economically unviable – the attacker’s bot moves on to the next target.

The lockout works per-username, not per-IP address. This is the critical difference from IP-rate-limiting: a distributed attack that uses 10,000 different IP addresses (a botnet) is blocked just as effectively as a single-machine attack, because both result in failed attempts for the same target username. Once the threshold is crossed, that account is locked for the configured duration regardless of how many IPs are trying.

Settings

  • Maximum login attempts: consecutive failures before lockout. Default is 5. Lower to 3 for maximum security; raise to 10 if legitimate users frequently mistype passwords and you receive lockout support requests.
  • Lockout duration: how long the account is blocked. Default is 10 minutes – enough to defeat most automated scripts. For admin-only sites with no public users, 60 minutes or longer adds significant friction to targeted attacks.
  • Account enumeration protection: WordPress normally reveals whether a username exists via different error messages (“username not found” vs “wrong password”). Enabling this makes both errors return the same generic message, removing a reconnaissance tool attackers use to build target lists. There is no downside to enabling this.

Unlocking a locked account

If a legitimate user is locked out, you can clear their lockout immediately from the SQL Query Tool or WP-CLI without waiting for the timeout to expire:

DELETE FROM wp_options WHERE option_name LIKE 'csdt_devtools_lockout_%'

This clears all active lockouts. To clear a specific username: replace % with the exact username (e.g. csdt_devtools_lockout_johndoe).

← Back to all sections