Stop Brute Force Attacks Before They Start
Most WordPress sites get hit by thousands of automated login attempts every month. Rate Limiting shuts them down automatically — no manual work, no blocked real users.
Without Rate Limiting
Bots can attempt thousands of password combinations per hour. One weak password and they’re in.
How It Works
BruteFort counts failed login attempts per IP. Once the threshold is hit within your time window, the IP is locked out instantly.
What You Get
Bots get blocked. Real users get a clear error message. You get peace of mind with full control over the numbers.
Configure It Once, Protect Forever
The Rate Limit Settings panel gives you four controls that cover every scenario — from a high-traffic store to a private admin site.
Max Allowed Attempts
How many wrong passwords before an IP is locked out. Default is 5 — low enough to stop bots, high enough that a user who forgets their password won’t get locked out on the first try.
Time Period (rolling window)
The window in which failures are counted. If 5 failures happen within 30 minutes, the IP is blocked. Failures outside that window don’t count — protecting occasional slow typers.
Custom Error Message
The message shown to a blocked IP. Use the {{locked_out_until}} variable to show exactly when they can try again — reduces support tickets from legitimate users who got temporarily locked out.
Enable IP Lockout
Toggle to record blocked IPs persistently. Blocked IPs stay locked out until the period expires or you remove them from IP Settings — prevents the same bot from trying in the next window.
Quick Facts
Your Site Gets Attacked Every Day. Are You Protected?
Rate Limiting is included in the free version of BruteFort. Install it in under 2 minutes.