Comments (22 responses)

  1. Peter says:

    Hi, happy user of the security plugin, it makes life a lot easier. Two remarks:
    1 – WP has one problem when hosted: the 404 page depends on a page being generated from inside WP. A random hit like “” will yield the default Apache/hosting platform page. As the plugin rewrites the .htaccess anyway, it could be interesting if there was an option to divert any 404 to a specific page (now featured in most themes).

    2 – for extra login security, consider the Google Authenticator plugin (I use the Henrick Schack version). This adds a password to any login which changes every 30 seconds and once you set up the Google Authenticator app on a smartphone with your site details it will give you this password (it’s very easy – works with a barcode you scan from the screen), or for those with Firefox on the desktop, get the GAuth extension.

    Cheers, Peter

  2. admin says:

    @Jose, This other one doesn’t use any cookie. This one changes the WP Admin login URL of your site. Yes you can enable both these brute force prevention methods together on a site.

  3. Jose Luis Yañez says:

    Hello there,

    I have just seen the newly added Brute-Force feature in this last update of this week and I am wondering if you please could help me clarify its use and difference with the cookie-based brute-force prevention feature.

    More specifically I would like to know if this new brute-force feature (non-cookie based) can be used in a membership site, as I cannot use the cookie-based one . And if so, what should I take into account to make sure this does not affect negatively the login of current members.

    And second, for a non-membership site, where the cookie-based feature is already in place, can this new one non cookie-based feature be added as well? can be both working together, so to speak? does it make sense? or is one or the other?

    Many thanks for your help and congratulations for this amazing plugin.


  4. José Luis Yañez says:

    I see, thank you very much for your replay. I appreciate it.



  5. admin says:

    @Jose, You won’t be able to use the cookie based brute force login prevention feature if you are setting up a membership site that needs access to the wp-admin/login area by other users.

  6. Jose Luis Yañez says:

    Hello there,

    I am testing this plugin on a local installation and I’m loving it. Just a question about the Cookie Based Brute Force Login Attack’ Prevention Feature: I am using a membership plugin (Fastmember)…how can I avoid member users trying to log in to be redirected to the redirection url set up with this feature?



  7. admin says:

    Hi Brian, Give me the URL of your site so I can check and make sure the brute force prevention feature is working correctly on your site. If you are using the cookie based bruteforce prevention feature then you actually do not need the login lockdown feature so you can turn this option off.

  8. Brian says:


    Thanks you for this fantastic plugin, it is amazing.

    I do have one questions. I have been seeing multiple site lockout notifications for my site recently from a whole range of IP addresses. The messages are always something like this:
    lockdown event has occurred due to too many failed login attempts or invalid username:
    Username: whatever
    IP Address:

    IP Range: 125.26.14.*

    Log into your site’s WordPress administration panel to see the duration of the lockout or to unlock the user.

    I enabled cookie-based brute force protection as I was getting nervous, but since I enabled it, I am still getting site lockout notices. I wondering how can that be if they need the cookie/secret URL to attempt to log in?


  9. khyriana says:

    Yes thank you very much, it works. I’ll read your page.
    Have a nice day

  10. admin says:

    @Khyriana, Restore your htaccess file and you should be good. Please take a look at the FAQ section from the following page (there is a tutorial for restoring the htaccess file)

  11. khyriana says:

    I can not get into my admin, what should I do?
    Thank you in advance
    Best Regards

  12. admin says:

    @Bradley, As long as you use the special URL (given to you when you setup this feature), you will be fine. The plugin will drop the cookie when you try to access the admin login screen using that secret code.

  13. Bradley Millar says:

    What if I reset my browser cache and all cookies are deleted? How do I regain access to my site?

  14. admin says:

    @Teo, The brute force login prevention feature basically stops anyone but the admin (who knows the secret key) from accessing the wp login page. If you are running a membership site that uses wordpress’s build in login page for authentication then you can’t use this feature. The whole purpose of the feature is to stop anything from going to your wp-login form. See what I mean?

  15. Teo says:


    Thank you for sharing this plugin. Please take a look at the “Brute Force Prevention Firewall Settings”, it seems to be a problem for users to access their own profile, they are redirected to the URL address set in plugin instead of seeing the account data.

    Thank you

  16. Bilal says:

    one of the BEST Security Plugin i have used in last few years, my site’s were under eval(…) attack and going to some junk URLs..
    after i finished cleaning up my site’s, i installed WP Security Plugin and wow..
    today i got around 60 emails, letting me know my site is under brute attack, failed login attempts are recorded, i didnt enabled brute force attack on these sites because i am using iwp (site management plugin) which failed to login after i enabled brute attack feature..
    anyhow i just Enabled Cookie Based Brute Force Login Attack Feature and you know.. from last 40 minutes ( 0 ) attempt of login at site is detected.

    Great to know you people done this great plugin for the WordPress Community.

    The other features i wanted to see in this great plugin in future will be:

    1. force all users to change passwords after specified number of days.
    2. Not just renamed the admin username to something but to change ID of the user too (ID 1 for the admin should also to be changed to new ID)
    3. Display name of the author tip is good but even changing Display name leaves URL of the author to be the username, a feature where users archive page accessed under his display name instead of username.

    well these are currently in my mind… but let me tell you that you people already save a lot for me. Great Work.

  17. Tore Lunden says:

    Thank you for a very nice and FREE plugin!

    I installed it on a MULTI-SITE today, and had an issue:

    When i change the admin_user name (as recommended), the database table “site_meta” did not change the “site_admins” value.
    Therefor I was locked out from the Site-admin Dashboard.

    After trying almost everything else , I finally discovered the issue and changed the value manually.
    Now it works perfectly.

    See if the plugin has that bug, or if it was me who messed up while messing around?

    Thanks again! 🙂

  18. admin says:

    @Tony, I did a test but didn’t see the issue. What version of the security and the affiliate plugin are you using?

  19. Tony says:

    I see a problem with the Affiliate plugin
    When the Enable 5G Firewall Protection is on
    It’s stopping people from signing up.

    Getting a 403

  20. Pam Preslar says:

    Thanks Tips and Tricks for the terrific plug in and the awesome documentation!

    I have been so bugged by my site bogging down inexplicably. Now, not only do I know why that was happening, but I also have eliminated it!

    And for free! You are very kind people!

    Cheers, Pam

  21. admin says:

    Hi Barney, When you say “new” are you referring to the backup that it creates? It would be helpful to know what action is causing the server to throw the 500 error. Your server log will have more details on why this error was thrown. Can you try to find out the reason by looking at your server log?

  22. Barney Davey says:

    First, thank you for creating this plug-in. I love it and appreciate your generosity in making it free. I am now having an issue when I try to add IP address to the Blacklist manager. Every time I do this, it creates a new .htacess file that causes a 500 errot on the site. I have to rename the plugin and htacess file to be able to login. A new basic htacess gets created, but it is lacking the features you put in with the plugin.
    Thanks, again!

Speak Your Mind