Login Delay Shield

WordPress is one of the most widely used content management systems on the internet, making it a frequent target for bots and hackers attempting brute-force attacks.

A brute-force attack works by systematically trying passwords until finding the correct one. Login Delay Shield defends against this by adding a configurable delay after each failed login attempt. Since successful logins are never delayed, legitimate users experience no slowdown. This approach is particularly effective against bots that send thousands of login requests, as each failed attempt forces the attacker to wait before trying the next password.

Features:

• Security Setup Wizard — Choose Conservative, Balanced, or Aggressive protection profiles from the settings page
• Login delay — Fixed or random delay on failed login attempts (1-10 seconds)
• Progressive delay — Delay increases with each consecutive failed attempt from the same IP
• IP lockout — Temporarily block IP addresses after too many failed attempts
• Username-aware lockout strategy — Choose IP only or IP + username to reduce false positives on shared networks
• Login feedback — Shows remaining attempts before lockout and a lockout countdown when blocked
• IP whitelist — Bypass all security measures for trusted IPs (supports CIDR notation)
• Email notifications — Receive alerts when failed login thresholds are reached
• Failed login log — Track all failed attempts with a dashboard widget showing recent activity, 7-day trends, and top targeted usernames
• fail2ban logging (optional) — Write fail2ban-compatible failed-login and lockout lines to a safe log file
• XML-RPC protection — Apply delays to XML-RPC authentication or block it entirely
• Password reset protection — Apply delays, lockouts, and logging to password reset submissions without revealing account existence
• Custom login URL — Move the login page to a custom URL to reduce automated bot traffic targeting /wp-login.php
• Log retention — Automatic cleanup of old log entries (configurable retention period)
• Accessible admin interface — WCAG 2.1 compliant with keyboard navigation and screen reader support
• Multilingual — Translated into 18 languages including French, German, Spanish, Japanese, Chinese, Arabic, and more
• Lightweight and compatible with other security plugins

Free means free

Login Delay Shield has no ads, no upsells, no premium tier, and no account or API key requirement. Every admin notice is dismissible, and the plugin never nags you to upgrade — there is nothing to upgrade to.

You can always get back in

A security plugin that locks out its own administrator is worse than no security at all. Login Delay Shield is built so an admin can always recover access:

• Whitelisted IPs (including CIDR ranges) bypass every delay and lockout
• The Active Lockouts manager on the settings page lists current lockouts with a one-click Unlock for each, plus an “Unlock Current IP” action
• WP-CLI recovery commands: wp login-delay-shield unlock-ip <ip> and wp login-delay-shield flush-lockouts
• Lockouts are always temporary (24 hours maximum) — there are no permanent bans

This plugin is not a complete security solution — dedicated security plugins offer more comprehensive protection. However, Login Delay Shield adds an effective layer of defense that works alongside your existing security measures without conflict.

Note: This plugin was formerly known as “WP Login Delay”.

Contribute

Found a bug or want to suggest an improvement? Open a thread in the support forum on WordPress.org.

Want to help translate the plugin into your language? Visit translate.wordpress.org.