1. Blair, I trust your plug-ins b/c pretty link is so AWESOME. We implemented a different unique strategy to stop attacks… but we’ll lose it every time we update WordPress… Oh well. What are you doing to prevent comment spam? I noticed you don’t even have a captcha here…???

    • I just use Akismet … it works great.

      I’m not a huge fan of captchas … so I’ll generally take whatever measure I can before I resort to using them. 🙂

    • OK. Thank you for the reply. I do use Akismet, but still feel I have to sift through the spam comments in case a legit comment got trapped in their. Oh well. O.C.D. I guess. Thank you for making awesome plugins.

  2. Very helpful, thank you

  3. You’re always looking out for me! We’re up and running.

  4. Blair, many thanks, we have been victims of several attacks over the last months so we will be deploying this plugin tomorrow. Many thanks for sharing and taking the time to produce this.

    Cheers from the UK!


  5. Thanks Blair I will be trying this too. I use a kismet for spam comments but you have to manually send them all to spam. very annoying! Any ideas? . I set up another plug in to prove your not a robot but prefer not to have it, like you. Keep up your hard work. Love my pretty link. Cheers

    • I don’t actually have a solution that will automate comment spam more effectively than Akismet … there is a technique that can be used called a honeypot field that is typically very effective (in my experience, just as effective as a captcha) but is completely transparent to the user. I’m not sure if any plugins exist that add something like this already but it’s a great idea.

  6. We’e using PrettyLink which we love, will look to add this new plugin. Thanks!

  7. Thanks for the share of this brute force deterrent, I hope I never need it but glad to know it’s in force and ready for action if attacked.

    • Thanks… However, sometimes in the midst of an attack you may not be to do much with your site at all so it may be best to install this plugin *before* you get attacked.

  8. I used Hostgator’s method of creating a new .wpadmin file and then adding some script to the .htaccess file. Now I have to go through 2 layers of authentication manually on every WP site on my first login. Would I still need your plugin? Would I still need to go through the extra level of security manually? Would they conflict if I have both? Thx in advance.


    • WP Login Protector will give you 3 options for protecting the wp-login.php script on your site … the most extreme (and bulletproof) is effectively the same as what you have setup through your web server right now (but with WP Login Protector there is no need to alter your apache files whatsoever, it can just add the second layer of basic authentication automatically). So my advice is to stick with what you have unless you’re having issues with some of the functionality on the front end of your site — or really can’t stand entering in credentials twice.

  9. I enabled “Basic Authentication” but have no clue what log in credentials to use… my WP credentials are Not accepted.

    Do we need to make come new credentials in an .htaccess file?

    This point is absent in your documentation.

    Please Help clear this up.


    • Hmm … No need to make an .htpassword file or anything like that. It should use your WP credentials currently.

      It uses WordPress’ built in wp_authenticate method.

    • Blair

      Thank you for replying. I would REALLY like to use your plugin but it refuses to play nice with my WP installation.

      If you contact me Via the email I used for this post I’ll send you log in credentials so you can check it out.

      I LOVE the idea of this plugin’s functions and would really like to put it into service. Sadly its not working presently.


    • Okay, after looking at the setup on your site I believe that the issue has to do with either a plugin or a web host conflict. You have numerous security and caching mechanisms (BPS Security, Better WP Security, CloudFlare, W3 Total Cache … to name a few) in place … WP Login Protector hasn’t been tested with all of these and assumes a pretty standard .htaccess configuration and caching setup. I did find, however, that the post protection in WP Login Protector *does* appear to work just fine with your setup … so at the very least, you can turn that on … otherwise you may have to disable some of these other plugins to see what the culprit is.

    • Blair

      Thanks for the info. I’m very sensitive to security and always want to implement every possible measure to eliminate the potential for hacking / brute force attacks. This is the reason that I’m so interested in WP Login Protector.

      Hopefully WP Login Protector will mature to fully work with the other security plugins out there.


    • Haha … that probably won’t happen. WP Login Protector is, by design, an exceptionally lightweight plugin. I don’t plan on expanding it too much (other than patches that become necessary over time).

      The plugins you’re running are much more complex … and some of them (which I have seen in the wild) will have you significantly change your .htaccess file and can alter the way WordPress behaves at a fundamental level. Frankly, I was surprised (and a bit impressed) to see your site working at all … no offense … I’d just expect that you’d have massive conflicts running all those heavy security plugins simultaneously (for example, I wouldn’t expect my plugin MemberPress to work alongside another membership plugin). However I’m not sure that this is your problem running this plugin … It appeared that your requests were being proxied (perhaps through cloudflare?) … I’m pretty sure that’s the reason the HTTP filtering doesn’t work … and possibly why the Basic Auth doesn’t work with the plugin for you.

      I’m sorry the plugin didn’t work for you though … as I said above, it has been tested in a fairly standard WordPress environment. I can’t guarantee that it will work with every theme, plugin or hosting configuration in the world. But I can say that this plugin is a lightweight, clean and effective approach to preventing a brute force attack for the majority of WordPress websites out there…

  10. Alex Miller says:

    Personally, I also like to add this to the bottom of the plugin (before the redirect function though) so that it saves on some server overhead (admittedly, not much). Of course you can never have a username “admin” but why would you when it’s the most common tried username?

    // Disallow All ‘admin’ users
    function no_admin( $user, $username, $password ) {
    if($username == ‘admin’)

    return $user;
    add_filter(‘authenticate’, ‘no_admin’, 30, 3);

  11. HowdyMcGee says:

    I was running into problems with “Password Protected” posts in wordpress where it would hit this plugin and return a 403. I added this to the bottom of the plugin and it seems to work fine now:

    function wlp_forbidden() {
    header(“HTTP/1.0 403 Forbidden”);

  12. Robert Dempsey says:

    Will this work on wp 3.8 as well Blair? I have not tested it there as yet. Wondering if you have as yet?

  13. Being the lazy admin that I am, and I like the WP Repository, are you planning on getting your plugin added to it any time soon?

  14. Hello Blair,
    First f all I’d like to thank you for this wonderful plugin. Unfortunately, I’ve managed to lock myself out of my main site after I activated all 3 levels, and then inadvertently changed the admin password with Lastpass. It won’t let me do a password reset as the extra login panel keeps popping up as soon as I click the lost password link. Not quite sure how to get myself out of this pickle, any advice would surely be appreciated. If it’s not possible, I think this would probably be a good time to go back to a flat html site again!
    Thank you and best regards,

  15. I have had many of these kinds of attacks on my wp sites and it is extremely frustrating. I’m deploying this asap. Thanks a lot.

  16. While this Plugin is great, I just wish the ‘Basic Authentication’ worked. I enable it and try to log out to test it and it prompts me for username / password, no big deal except that it never really authenticates. I’ll user the correct username / password but it never evaluates to true. At first I thought it was my plugins or my theme but even when I try a fresh install with Twenty Thirteen theme it still has the same negative result.