Simple Login Limit & Protect



Simple Login Limit & Protect is a Plugin designed to protect your WordPress site from hackers, crackers and other attackers, with simple configuration and with minimum problems for legitimate users.

Using the same technology used in the most advanced Security Tools, our plugin works as soon as activated, detecting malicious behavior and automatically blocking attackers.

Key Features

  • Behavioral Intelligent Learning, detect the behavior of users to distinguish the bad guys from good guys
  • Really GDPR Compliant (why some others plugins dont comply)
  • Minimum Configuration, just install and dont mind looking for the settings, works out of the box

Behavioral Intelligent Learning

We expect legitimate users to behavior in a certain way. In the other side, hackers usually start with simple commoditized scripts, we studied these scripts and implemented detection rules for them.

We studied attackers techniques such as User Enumeration, Brute Force Attack, the Most Common Passwords Used and developed sensors to these behaviours, identifying the remote user as an attacker.

In the other side, legitimate users normally use the same Provider, with a common Internet browser and in an certain way, we also detect this behaviour and identify them as a good user.

Automatically allow legitimate users to try again

If a legitimate user is blocked due to missing his password, the plugin will inform the user how much time he have to wait before he can try again, minimising support.

On the first missed password tries, the plugin will allow the user to try again in a few minutes with a message, this removes work from the Site Administrator.

If necessary, the user can use the WordPress Lost your password feature to generate a new one if he forgot to not be blocked again.

But if its a hacker that continues to try invalid passwords he will be blocked again for even increased times (limited to 24 hours).

Full list of Features

  • Detect and block malicious users
  • Detect and block Brute Force Attacks
  • Detect User Enumeration Attacks
  • Inform legitimate users if they are blocked
  • Detect if a hacker is not using HTTPS
  • Detect if a hacker is using scripts
  • Detect the most commons attack tools to WordPress sites, such as Hydra, Curl, MetaSploit, Kalil
  • Detect if the attacker is using a password dictionary to guess passwords
  • Block the IP of the attacker
  • Allow a legitimate user to try again after a few minutes
  • If the attacker continues, block again for 30 minutes
  • If the attacker continues, block for 24 hours
  • Counts and inform the Administrator how much attacks has been blocked
  • Detect and works automatically with Sucuri Web Firewall
  • Detect and suggest configuration for Proxies and Load Balancers
  • Detect and block attacks to XMLRPC API (not all plugins do this)
  • Detect attacks to REST API for user enumeration (no other plugin do this)

Installation Instructions

On WordPress Admin Dashboard

  1. Visit Plugins > Add New
  2. Search for Simple Login Limit & Protect. Find and install the plugin
  3. In Plugins > Installed Plugins, click in Activate

Downloading From

  1. Download Simple Login Limit & Protect zip file.
  2. Visit Plugins > Add New in your WordPress Admin Dashboard
  3. Click in Upload Plugin
  4. Click in Choose File, find the downloaded file in your computer
  5. Click in Install Now
  6. In Plugins > Installed Plugins, click in Activate.

Manually via FTP, SFTP

  1. Download Simple Login Limit & Protect zip file.
  2. Unzip and upload the simple-login-limit-protect directory to your /wp-content/plugins/ directory
  3. Enter in your WordPress Admin Dashboard
  4. In Plugins > Installed Plugins, click in Activate.

Demo Video



Just wait the time indicated in WordPress login screen, the system will release your IP again automatically.

You can access from another connection from another provider, for example, using a 3G/4G Network instead of your Wifi.

If you forgot the password and has blocked by this, change the password before trying to access again.

If you can login in MySQL, you can clean the data on table wp_simple_login_limit_protect, this will give you a fresh start.

If you can only access by FTP, you can access the wp-content/plugins folder and delete the folder simple-login-limit-protect, this will uninstall the plugin, you can install the plugin again, while logged, you will not be blocked.

If you cant access by MySQL neither FTP, sorry, there is no backdoor.

We understand that this provides a better protection, since we use Data Blurring to anonymize IP Address, like Google Analytics and other tools.

When Blurring the IP Address we will have a range of IP Address instead of the final IP, for example, if the hacker IP Address was, we will block from to With this, without other data sources you cant identify the original IP Address.

If a hacker tries do disconnect and reconnect to his provider, there is a chance to him to receive an IP Address in the same range, that will be already blocked.

Even if him receive an IP Address of another range, in a few tries his Internet Provider will be full blocked.

This dont prevents him to access content in your site, just to login in administrative area.

We think that this is a good idea, since we prevent more attacks from the same hacker, and, theres only a few chance that your neighbor will be trying to hack in your site.

If you think otherwise, please fill this form with your ideas.

Other reason is that some hackers will be in Europe Union, thus its better to comply to not be at legal risk.

GDPR says that we cant store personal information, with include IP Address, without consent from the user.

Sure, a hacker will not consent to store his information, but we need this information stored to block attackers.

So, a method to do this is using Pseudo Anonymization with Data Blurring.

This is the same technique used by Google Analytics, so, we think we are backed.

They use a technique called hashing to obfuscate the IP Address, normally applying a MD5 Hash Algorithm.

While this works well for unpredictable data such passwords, IP Address are high predictable (there is only 4 billions of them), and thus can be easily reversed.

We explored this theme in a Post in our website, but dont take our word, we referenced others security specialists about it:

Why Hash Dont Anonimize an IP Address and what this affects GDPR

We are planning other modes, we though that was a good idea keep this space reserved for options that are coming soon.

Please, fill this form, we will be happy to help:

Mail us at [email protected]

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Most Viewed Posts