← All Features
Rate Limiting

Set the rules. BruteFort enforces them.

Define your maximum login attempts, the time window they’re measured across, and exactly what happens when a bot crosses the line. Every setting is live the moment you hit save.

5

default max attempts

30m

default lockout window

0ms

block latency on trigger

Rate Limit Settings
Custom Login URL
Geo Blocking
General Rate Limits
Control how many login attempts are allowed.
Max Allowed Attempts
5
Time Period
30
minute(s)
Custom Error Message
Too many attempts. Please try again after {{locked_out_until}}.
Lockout Settings
Configure IP lockout behavior after failed attempts.
Enable lockout
Save +

THE PROTECTION FLOW

What happens when a bot hits your login

1
Login attempt received
A visitor submits credentials. BruteFort intercepts the request and checks the IP’s attempt history against your configured window.
2
Attempt counter increments
Each failed login adds 1 to that IP’s count. The count resets automatically after your configured time period has elapsed.
3 of 5 attempts used
3
Threshold crossed — IP blocked
The 5th failed attempt triggers the block. The IP is locked out immediately and cannot submit the form again until the window expires.
Too many attempts. Please try again after June 1, 2026 10:32 AM.
4
Logged and monitored
The blocked attempt is written to the Attack Logs with IP, timestamp, and attempt count. Review, search, and act on it at any time.

Every setting, explained

Three fields. Infinite combinations. Here’s exactly what each one does.

Max Allowed Attempts

The number of failed logins an IP can make before being blocked. Default of 5 stops most bots. Set lower (1–3) for maximum security, higher for sites with forgetful users.

Time Period

The rolling window in which attempts are counted and also the lockout duration. After this period, the IP’s counter resets and they may try again. 30 minutes is the recommended default.

Custom Error Message

The message shown to a locked-out IP. Use {{locked_out_until}} anywhere and BruteFort replaces it with the exact timestamp when the lockout expires. Supports plain text only.

Rate limiting active in under 60 seconds.

Install the plugin, set your numbers, hit save.

Install Free See all features