Everything included, free

Built to Stop Brute Force. Nothing More, Nothing Less.

Four focused features that cover every angle of WordPress login security — rate limiting, URL obfuscation, geographic access control, and IP management.

Rate Limiting

Stop bots cold after too many attempts.

Set a ceiling on login attempts within any time window you choose. Once that ceiling is hit, BruteFort locks the IP out and shows a custom error message — including the exact time they can try again.

Configurable max attempts and time window

IP-level lockout with optional permanent ban

Custom error message with {{locked_out_until}} variable

Learn more about Rate Limiting →

Rate Limit Settings

Max Allowed Attempts

Time Period

minute(s)

Custom Error Message

Too many attempts. Please try again after {{locked_out_until}}.

IP locked out — 43 failed attempts detected

Custom Login URL

Enable Custom Login URL

Turn on to use a custom slug for login.

https://yoursite.com/

my-secret-login

Don’t forget this slug — you’ll need it to log in.

Custom Login URL

If bots can’t find your login, they can’t attack it.

Replace the well-known /wp-login.php path with any secret slug you choose. Bots and scanners target the default URL automatically — change it and you eliminate the majority of attacks before they start.

One toggle, one text field — done in 10 seconds

No .htaccess edits or server configuration needed

Works alongside all other BruteFort protections

Learn more about Custom Login URL →

Geo Blocking

Lock out entire countries — or lock down to just yours.

The vast majority of brute force traffic originates from a handful of countries. BruteFort’s geo blocking gives you two modes: blacklist specific countries, or whitelist only the regions your users actually come from.

Blacklist

Block specific countries. Everyone else gets through.

Whitelist

Allow only your chosen countries. Maximum lockdown.

Learn more about Geo Blocking →

Geo Blocking

Enable Geo Blocking

Turn on to start blocking/allowing countries.

Mode

Blacklist

Whitelist

Select Countries

Select countries…

Note: Relies on external APIs — may not be 100% accurate.

IP Whitelist / Blacklist

WhiteList ▾

eg. 127.0.0.1

Add

TypeIP AddressCreated

Whitelist

27.34.65.31May 27

Blacklist

37.41.97.210May 30

IP Settings

Absolute control over who gets through.

Whitelist your own admin IPs so they’re never accidentally locked out. Blacklist repeat offenders permanently. Every rule you set overrides all other protections — this is the final word.

Persistent whitelist and blacklist across sessions

Searchable table with date filtering and pagination

Overrides rate limits and geo rules for whitelisted IPs

Learn more about IP Settings →

Attack Logs

See every hit. Know every threat.

Every failed login attempt is logged in real time — IP address, attempt count, status, and precise timestamp. Refresh on demand, filter by IP or status, and paginate through the full history.

Real-time refresh button — always up to date

Search by IP, filter by status, sort by date

Adjustable rows per page — 10, 25, 50, 100

Learn more about Attack Logs →

Logs

⟳ Refresh

idStatusIP AddressFails

12Fail45.92.1.572

11Fail45.92.1.571

10Fail37.41.97.21043

Page 1 of 1

Show 10 ▾

FREE WORDPRESS PLUGIN

Every feature. Zero cost. Install in two minutes.

Rate limiting, custom login URL, geo blocking, IP management, and attack logs — all free, all in one plugin.

Install BruteFort on WordPress.org