Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Security & Risk Analysis

wordpress.org/plugins/limit-login-attempts-reloaded

Stop password guessing attacks, secure WooCommerce, block bad IPs, block by countries (Pro), and add email 2FA. Lightweight with better performance.

2.0M active installs v3.1.0 PHP + WP 3.0+ Updated Apr 9, 2026

2fabrute-forcefirewallsecuritywoocommerce

A · Safe

CVEs total4

Unpatched0

Last CVEDec 20, 2023

Download

Safety Verdict

Is Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Safe to Use in 2026?

Generally Safe

Score 98/100

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Dec 20, 2023Updated 1mo ago

Risk Assessment

The 'limit-login-attempts-reloaded' plugin v2.26.28 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and performing nonce checks on all its AJAX handlers. The lack of critical or high severity taint flows and no currently unpatched CVEs are also strong indicators of a generally secure recent state.

However, concerns arise from the presence of one AJAX handler without authentication checks, which represents a direct attack vector. While the static analysis did not reveal dangerous functions or raw SQL, the vulnerability history shows a pattern of past issues, including high and medium severity vulnerabilities, particularly related to missing authorization, excessive authentication attempts, and cross-site scripting. This history suggests a need for continued vigilance and a robust review process for future updates. The 70% proper output escaping, while not critically low, indicates room for improvement in preventing potential cross-site scripting vulnerabilities.

In conclusion, the plugin has strengths in its handling of SQL and AJAX nonces. Nevertheless, the single unprotected AJAX endpoint and the historical vulnerability data warrant attention. The plugin is not without risks, and ongoing monitoring and prompt patching of any newly discovered vulnerabilities will be crucial.

Key Concerns

Unprotected AJAX handler found
Output escaping not fully comprehensive (70%)
History of past high severity vulnerabilities
History of past medium severity vulnerabilities

Vulnerabilities

4 published

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Security Vulnerabilities

CVEs by Year

2 CVEs in 2020

2020

2 CVEs in 2023

2023

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2023-6934medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Limit Login Attempts Reloaded <= 2.25.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 20, 2023 Patched in 2.25.27 (223d)

CVE-2023-5525medium · 4.3Missing Authorization

Limit Login Attempts Reloaded <= 2.25.25 - Missing Authorization

Nov 6, 2023 Patched in 2.25.26 (78d)

CVE-2020-35590high · 7.3Improper Restriction of Excessive Authentication Attempts

Limit Login Attempts Reloaded <= 2.17.3 - Login Rate Limiting Bypass

Dec 14, 2020 Patched in 2.17.4 (1135d)

CVE-2020-35589medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Limit Login Attempts Reloaded <= 2.15.2 - Reflected Cross-Site Scripting

Dec 14, 2020 Patched in 2.17.4 (1135d)

Version History

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Release Timeline

v3.1.0Current

v3.0.27 files changed

v3.0.117 files changed

v3.0.038 files changed

v2.26.2811 files changed

v2.26.274 files changed

v2.26.265 files changed

v2.26.259 files changed

v2.26.2432 files changed

v2.26.2311 files changed

v2.26.225 files changed

v2.26.216 files changed

v2.26.2016 files changed

v2.26.196 files changed

v2.26.188 files changed

v2.26.175 files changed

v2.26.164 files changed

v2.26.1515 files changed

v2.26.1412 files changed

v2.26.1315 files changed

Code Analysis

Analyzed Mar 16, 2026

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

104

248 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

70% escaped352 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

app_log_action_callback (core\Ajax.php:180)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Attack Surface

Entry Points27

Unprotected1

AJAX Handlers 26

authwp_ajax_limit-login-unlockcore\Ajax.php:17

authwp_ajax_dismiss_review_noticecore\Ajax.php:18

authwp_ajax_dismiss_notify_noticecore\Ajax.php:19

authwp_ajax_enable_notifycore\Ajax.php:20

authwp_ajax_app_config_savecore\Ajax.php:21

authwp_ajax_app_setupcore\Ajax.php:22

authwp_ajax_app_log_actioncore\Ajax.php:23

authwp_ajax_app_load_logcore\Ajax.php:24

authwp_ajax_app_load_successful_logincore\Ajax.php:25

authwp_ajax_app_load_lockoutscore\Ajax.php:26

authwp_ajax_app_load_acl_rulescore\Ajax.php:27

authwp_ajax_app_load_country_access_rulescore\Ajax.php:28

authwp_ajax_app_toggle_countrycore\Ajax.php:29

authwp_ajax_app_country_rulecore\Ajax.php:30

authwp_ajax_app_acl_add_rulecore\Ajax.php:31

authwp_ajax_app_acl_remove_rulecore\Ajax.php:32

noprivwp_ajax_get_remaining_attempts_messagecore\Ajax.php:33

authwp_ajax_subscribe_emailcore\Ajax.php:37

authwp_ajax_strong_account_policiescore\Ajax.php:38

authwp_ajax_block_by_countrycore\Ajax.php:39

authwp_ajax_dismiss_onboarding_popupcore\Ajax.php:40

authwp_ajax_onboarding_resetcore\Ajax.php:41

authwp_ajax_close_premium_messagecore\Ajax.php:42

authwp_ajax_toggle_auto_updatecore\Ajax.php:43

authwp_ajax_activate_micro_cloudcore\Ajax.php:44

authwp_ajax_test_email_notificationscore\Ajax.php:45

Shortcodes 1

[llar-link] core\Shortcodes.php:14

WordPress Hooks 42

actionphpmailer_initcore\Helpers.php:395

actionadmin_enqueue_scriptscore\LimitLoginAttempts.php:127

actionlogin_enqueue_scriptscore\LimitLoginAttempts.php:128

filterlimit_login_whitelist_ipcore\LimitLoginAttempts.php:129

filterlimit_login_whitelist_usernamescore\LimitLoginAttempts.php:130

filterlimit_login_blacklist_ipcore\LimitLoginAttempts.php:131

filterlimit_login_blacklist_usernamescore\LimitLoginAttempts.php:132

filterillegal_user_loginscore\LimitLoginAttempts.php:134

filterum_custom_authenticate_error_codescore\LimitLoginAttempts.php:135

actionadmin_noticescore\LimitLoginAttempts.php:140

actionadmin_print_scripts-toplevel_page_limit-login-attemptscore\LimitLoginAttempts.php:142

actionadmin_print_scripts-settings_page_limit-login-attemptscore\LimitLoginAttempts.php:143

actionadmin_print_scripts-index.phpcore\LimitLoginAttempts.php:144

actionadmin_initcore\LimitLoginAttempts.php:146

actionadmin_initcore\LimitLoginAttempts.php:147

actionlogin_footercore\LimitLoginAttempts.php:149

actionlogin_footercore\LimitLoginAttempts.php:151

actionwp_footercore\LimitLoginAttempts.php:152

actionwp_dashboard_setupcore\LimitLoginAttempts.php:155

actionlogin_form_registercore\LimitLoginAttempts.php:157

filterregistration_errorscore\LimitLoginAttempts.php:158

actioninitcore\LimitLoginAttempts.php:251

actionwp_login_failedcore\LimitLoginAttempts.php:259

filterwp_authenticate_usercore\LimitLoginAttempts.php:260

actionwp_logincore\LimitLoginAttempts.php:261

filtershake_error_codescore\LimitLoginAttempts.php:263

actionlogin_errorscore\LimitLoginAttempts.php:264

actionum_submit_form_errors_hook_logincore\LimitLoginAttempts.php:266

filtermepr_validate_logincore\LimitLoginAttempts.php:268

actionnetwork_admin_menucore\LimitLoginAttempts.php:271

actionnetwork_admin_menucore\LimitLoginAttempts.php:274

actionadmin_menucore\LimitLoginAttempts.php:278

actionadmin_bar_menucore\LimitLoginAttempts.php:281

actionadmin_menucore\LimitLoginAttempts.php:284

filterxmlrpc_login_errorcore\LimitLoginAttempts.php:288

actionwp_headcore\LimitLoginAttempts.php:291

actionauthenticatecore\LimitLoginAttempts.php:298

actionauthenticatecore\LimitLoginAttempts.php:299

actionauthenticatecore\LimitLoginAttempts.php:305

actionwp_logincore\LimitLoginAttempts.php:687

actionplugins_loadedlimit-login-attempts-reloaded.php:41

filterwp_kses_allowed_htmlviews\onboarding-popup.php:248

Maintenance & Trust

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedApr 9, 2026

PHP min version

Downloads83.3M

Community Trust

Rating98/100

Number of ratings1,447

Active installs2.0M

Alternatives

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Alternatives

LogiShield Security – Login Security, 2FA, Limit Login, Brute Force Protection, Firewall

logishield-security

100

LogiSheild Security with 2FA, limit login, custom login URL, and temp login is your go-to login security plugin for WordPress.

0 No CVEs

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs

Anti-Malware Security and Brute-Force Firewall

gotmls

This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.

100K 10 CVEs

WP Ghost (Hide My WP Ghost) – Security & Firewall

hide-my-wp

Hide and Secure WP paths with the complete WP security suite for Site Hardening. Includes 8G Firewall, Brute Force protection, and Passkeys.

100K 8 CVEs

Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

wp-simple-firewall

Shield stops bot attacks before they hack your site. Bots CAN be stopped. Shield stops them.

40K 11 CVEs

Developer Profile

Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall Developer Profile

WPChef

4 plugins · 2.0M total installs

trust score

Avg Security Score

88/100

Avg Patch Time

643 days

View full developer profile

Detection Fingerprints

How We Detect Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/limit-login-attempts-reloaded/assets/css/login.css/wp-content/plugins/limit-login-attempts-reloaded/assets/css/styles.css/wp-content/plugins/limit-login-attempts-reloaded/assets/js/dist/app.js/wp-content/plugins/limit-login-attempts-reloaded/assets/js/login.js/wp-content/plugins/limit-login-attempts-reloaded/assets/js/vendors.js

Script Paths

/wp-content/plugins/limit-login-attempts-reloaded/assets/js/dist/app.js/wp-content/plugins/limit-login-attempts-reloaded/assets/js/login.js/wp-content/plugins/limit-login-attempts-reloaded/assets/js/vendors.js

Version Parameters

limit-login-attempts-reloaded/assets/css/login.css?ver=limit-login-attempts-reloaded/assets/css/styles.css?ver=limit-login-attempts-reloaded/assets/js/dist/app.js?ver=limit-login-attempts-reloaded/assets/js/login.js?ver=limit-login-attempts-reloaded/assets/js/vendors.js?ver=

HTML / DOM Fingerprints

CSS Classes

llar-login-formllar-login-wrapperllar_stats_widget

HTML Comments

Data Attributes

data-llar-noncedata-llar-endpoint

JS Globals

llarlla_ajax_object

REST Endpoints

/wp-json/llar/v1/ajax_check_login

FAQ