WP-Safety

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms Security & Risk Analysis

wordpress.org/plugins/limit-attempts

Protect your WordPress website from brute force attacks by limiting the number of failed login attempts. Improve security and stop bots.

4K active installs v1.3.2 PHP + WP 6.2+ Updated Jan 9, 2026
failed-attemptslimit-attemptslimit-login-attemptsloginsecurity
97
A · Safe
CVEs total3
Unpatched0
Last CVEMar 28, 2024
Plugin page Download
Safety Verdict

Is Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms Safe to Use in 2026?

Generally Safe

Score 97/100

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Mar 28, 2024Updated 2mo ago
Risk Assessment

The 'limit-attempts' plugin version 1.3.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding its attack surface, with all identified entry points (AJAX handlers, REST API routes, shortcodes, cron events) appearing to have authorization checks in place. The code also shows a strong adherence to output escaping standards, with 97% of outputs being properly handled, and a commendable 70% of SQL queries utilizing prepared statements. Nonce and capability checks are also present, indicating an awareness of common WordPress security mechanisms.

However, several areas raise concerns. The presence of 10 high-severity taint flows with unsanitized paths is a significant red flag, suggesting potential vulnerabilities that could be exploited. While no critical or high severity CVEs are currently unpatched, the plugin has a history of 3 known CVEs, including one critical, indicating past weaknesses in secure coding. The specific vulnerability types (XSS and SQL Injection) also align with the concerns raised by the taint analysis. The 12 flows with unsanitized paths also contribute to the overall risk.

In conclusion, while the plugin has strengths in its controlled attack surface and output escaping, the high number of high-severity taint flows and its past vulnerability history necessitate caution. The presence of unsanitized paths in taint flows is a direct indication of potential injection vulnerabilities, and the historical data suggests a pattern that requires ongoing vigilance. Addressing the high-severity taint flows is paramount to improving the plugin's security.

Key Concerns

  • 10 high severity taint flows
  • 12 flows with unsanitized paths
  • Total 3 known CVEs, 1 critical
  • Common vulnerability: SQL Injection
  • Common vulnerability: Cross-site Scripting
Vulnerabilities
3

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2017
2017
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
2

3 total CVEs

CVE-2024-30439medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Limit Attempts by BestWebSoft <= 1.2.9 - Reflected Cross-Site Scripting

Mar 28, 2024 Patched in 1.3.0 (7d)
WF-3eb4b3e7-6aad-4201-b48b-c8d788eb8acf-limit-attemptsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Limit Attempts by BestWebSoft < 1.1.8 - Reflected Cross-Site Scripting

Apr 12, 2017 Patched in 1.1.8 (2477d)
CVE-2015-9335critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms < 1.1.1 - SQL Injection

Oct 9, 2015 Patched in 1.1.1 (3028d)
Code Analysis
Analyzed Mar 16, 2026

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms Code Analysis

Dangerous Functions
0
Raw SQL Queries
32
75 prepared
Unescaped Output
24
859 escaped
Nonce Checks
42
Capability Checks
5
File Operations
3
External Requests
6
Bundled Libraries
0

SQL Query Safety

70% prepared107 total queries

Output Escaping

97% escaped883 total outputs
Data Flows
12 unsanitized

Data Flow Analysis

25 flows12 with unsanitized paths
lmtttmpts_display_list (includes\edit-list-form.php:17)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_bws_submit_request_feature_actionbws_menu\class-bws-settings.php:1466
authwp_ajax_bws_submit_uninstall_reason_actionbws_menu\deactivation-form.php:433
authwp_ajax_lmtttmpts_restore_default_messagelimit-attempts.php:1835
WordPress Hooks 32
filterload_textdomain_mofilebws_menu\bws_functions.php:43
filtermce_external_pluginsbws_menu\bws_functions.php:1146
filtermce_buttonsbws_menu\bws_functions.php:1147
actionadmin_initbws_menu\bws_functions.php:1433
actionadmin_enqueue_scriptsbws_menu\bws_functions.php:1434
actionadmin_headbws_menu\bws_functions.php:1435
actionadmin_footerbws_menu\bws_functions.php:1436
actionadmin_noticesbws_menu\bws_functions.php:1438
actionwp_enqueue_scriptsbws_menu\bws_functions.php:1440
actionafter_signup_formincludes\front-end-functions.php:949
filterauthenticateincludes\front-end-functions.php:1077
filterallow_password_resetincludes\front-end-functions.php:1078
filterregistration_errorsincludes\front-end-functions.php:1079
actionlogin_headincludes\front-end-functions.php:1080
actionsignup_headerincludes\front-end-functions.php:1081
filtercntctfrm_checkincludes\front-end-functions.php:1084
actionwpmu_new_bloglimit-attempts.php:1815
actiondelete_bloglimit-attempts.php:1816
actionplugins_loadedlimit-attempts.php:1817
actionadmin_menulimit-attempts.php:1819
actioninitlimit-attempts.php:1820
actionadmin_initlimit-attempts.php:1821
actionadmin_headlimit-attempts.php:1822
actionadmin_enqueue_scriptslimit-attempts.php:1823
filterset-screen-optionlimit-attempts.php:1824
filterplugin_action_linkslimit-attempts.php:1825
filterplugin_row_metalimit-attempts.php:1826
actionlmtttmpts_event_for_reset_failed_attemptslimit-attempts.php:1829
actionlmtttmpts_event_for_reset_blocklimit-attempts.php:1830
actionlmtttmpts_event_for_reset_block_quantitylimit-attempts.php:1831
actionlmtttmpts_daily_statistics_clearlimit-attempts.php:1832
actionadmin_noticeslimit-attempts.php:1833

Scheduled Events 10

lmtttmpts_daily_statistics_clear
lmtttmpts_event_for_reset_failed_attempts
lmtttmpts_event_for_reset_block_quantity
lmtttmpts_event_for_reset_block
lmtttmpts_event_for_reset_failed_attempts
lmtttmpts_event_for_reset_block_quantity
lmtttmpts_event_for_reset_block
lmtttmpts_daily_statistics_clear
lmtttmpts_daily_statistics_clear
lmtttmpts_event_for_reset_block
Maintenance & Trust

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJan 9, 2026
PHP min version
Downloads191K

Community Trust

Rating92/100
Number of ratings37
Active installs4K
Alternatives

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms Alternatives

Titan Anti-spam & Security

Titan Anti-spam & Security

anti-spam

A
98

Block spam comments, defend against login attempts, and strengthen site security with anti-spam, brute-force protection, and two-factor authentication &hellip;

60K 3 CVEs
Melapress Login Security

Melapress Login Security

melapress-login-security

A
91

Enforce WordPress login and password security policies to protect user accounts and prevent unauthorized logins.

2K 4 CVEs
Jeba Limit Login Attempts

Jeba Limit Login Attempts

jeba-limit-login-attempts

A
85

This is Jeba Limit Login Attempts wordpress plugin. Automatically lock the system for 30 minutes if a user attempts to login and fails after 3 tries.

100 No CVEs
GhostGate

GhostGate

ghostgate

A
100

Invisible, intelligent protection for WordPress. GhostGate hides your login page, blocks bots, and turns your site into a ghost fortress.

10 No CVEs
Orbisius Limit Logins

Orbisius Limit Logins

orbisius-limit-logins

A
85

Protect your site from automated logins efficiently!

10 No CVEs
Developer Profile

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms Developer Profile

bestwebsoft

17 plugins · 207K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
1729 days
View full developer profile
Detection Fingerprints

How We Detect Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/limit-attempts/css/style.css/wp-content/plugins/limit-attempts/css/admin-style.css/wp-content/plugins/limit-attempts/js/script.js/wp-content/plugins/limit-attempts/js/admin-script.js
Script Paths
/wp-content/plugins/limit-attempts/js/script.js/wp-content/plugins/limit-attempts/js/admin-script.js
Version Parameters
ver=1.3.2

HTML / DOM Fingerprints

CSS Classes
lmtttmpts_settings_blocklmtttmpts_tablelmtttmpts_table_thlmtttmpts_table_tdlmtttmpts_deny_allow_iplmtttmpts_deny_allow_blocklmtttmpts_deny_allow_actionslmtttmpts_deny_allow_form+4 more
HTML Comments
© Copyright 2021 BestWebSoft ( https://support.bestwebsoft.com )This program is free software; you can redistribute it and/or modifyThis program is distributed in the hope that it will be useful,You should have received a copy of the GNU General Public License+7 more
Data Attributes
name="lmtttmpts_export_submit"name="lmtttmpts_import_submit"name="lmtttmpts_export_import_nonce"name="lmtttmpts_export_date"name="lmtttmpts_export"
JS Globals
lmtttmpts_admin_script_vars
FAQ

Frequently Asked Questions about Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms