WP-Safety

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall Security & Risk Analysis

wordpress.org/plugins/limit-login-attempts-reloaded

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M active installs v2.26.28 PHP + WP 3.0+ Updated Jan 12, 2026
2fabrute-forcefirewalllogin-securitysecurity
98
A · Safe
CVEs total4
Unpatched0
Last CVEDec 20, 2023
Download
Safety Verdict

Is Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall Safe to Use in 2026?

Generally Safe

Score 98/100

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Dec 20, 2023Updated 2mo ago
Risk Assessment

The 'limit-login-attempts-reloaded' plugin v2.26.28 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and performing nonce checks on all its AJAX handlers. The lack of critical or high severity taint flows and no currently unpatched CVEs are also strong indicators of a generally secure recent state.

However, concerns arise from the presence of one AJAX handler without authentication checks, which represents a direct attack vector. While the static analysis did not reveal dangerous functions or raw SQL, the vulnerability history shows a pattern of past issues, including high and medium severity vulnerabilities, particularly related to missing authorization, excessive authentication attempts, and cross-site scripting. This history suggests a need for continued vigilance and a robust review process for future updates. The 70% proper output escaping, while not critically low, indicates room for improvement in preventing potential cross-site scripting vulnerabilities.

In conclusion, the plugin has strengths in its handling of SQL and AJAX nonces. Nevertheless, the single unprotected AJAX endpoint and the historical vulnerability data warrant attention. The plugin is not without risks, and ongoing monitoring and prompt patching of any newly discovered vulnerabilities will be crucial.

Key Concerns

  • Unprotected AJAX handler found
  • Output escaping not fully comprehensive (70%)
  • History of past high severity vulnerabilities
  • History of past medium severity vulnerabilities
Vulnerabilities
4

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall Security Vulnerabilities

CVEs by Year

2 CVEs in 2020
2020
2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2023-6934medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Limit Login Attempts Reloaded <= 2.25.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 20, 2023 Patched in 2.25.27 (223d)
CVE-2023-5525medium · 4.3Missing Authorization

Limit Login Attempts Reloaded <= 2.25.25 - Missing Authorization

Nov 6, 2023 Patched in 2.25.26 (78d)
CVE-2020-35590high · 7.3Improper Restriction of Excessive Authentication Attempts

Limit Login Attempts Reloaded <= 2.17.3 - Login Rate Limiting Bypass

Dec 14, 2020 Patched in 2.17.4 (1135d)
CVE-2020-35589medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Limit Login Attempts Reloaded <= 2.15.2 - Reflected Cross-Site Scripting

Dec 14, 2020 Patched in 2.17.4 (1135d)
Code Analysis
Analyzed Mar 16, 2026

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
104
248 escaped
Nonce Checks
26
Capability Checks
2
File Operations
2
External Requests
3
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

70% escaped352 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
app_log_action_callback (core\Ajax.php:180)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall Attack Surface

Entry Points27
Unprotected1

AJAX Handlers 26

authwp_ajax_limit-login-unlockcore\Ajax.php:17
authwp_ajax_dismiss_review_noticecore\Ajax.php:18
authwp_ajax_dismiss_notify_noticecore\Ajax.php:19
authwp_ajax_enable_notifycore\Ajax.php:20
authwp_ajax_app_config_savecore\Ajax.php:21
authwp_ajax_app_setupcore\Ajax.php:22
authwp_ajax_app_log_actioncore\Ajax.php:23
authwp_ajax_app_load_logcore\Ajax.php:24
authwp_ajax_app_load_successful_logincore\Ajax.php:25
authwp_ajax_app_load_lockoutscore\Ajax.php:26
authwp_ajax_app_load_acl_rulescore\Ajax.php:27
authwp_ajax_app_load_country_access_rulescore\Ajax.php:28
authwp_ajax_app_toggle_countrycore\Ajax.php:29
authwp_ajax_app_country_rulecore\Ajax.php:30
authwp_ajax_app_acl_add_rulecore\Ajax.php:31
authwp_ajax_app_acl_remove_rulecore\Ajax.php:32
noprivwp_ajax_get_remaining_attempts_messagecore\Ajax.php:33
authwp_ajax_subscribe_emailcore\Ajax.php:37
authwp_ajax_strong_account_policiescore\Ajax.php:38
authwp_ajax_block_by_countrycore\Ajax.php:39
authwp_ajax_dismiss_onboarding_popupcore\Ajax.php:40
authwp_ajax_onboarding_resetcore\Ajax.php:41
authwp_ajax_close_premium_messagecore\Ajax.php:42
authwp_ajax_toggle_auto_updatecore\Ajax.php:43
authwp_ajax_activate_micro_cloudcore\Ajax.php:44
authwp_ajax_test_email_notificationscore\Ajax.php:45

Shortcodes 1

[llar-link] core\Shortcodes.php:14
WordPress Hooks 42
actionphpmailer_initcore\Helpers.php:395
actionadmin_enqueue_scriptscore\LimitLoginAttempts.php:127
actionlogin_enqueue_scriptscore\LimitLoginAttempts.php:128
filterlimit_login_whitelist_ipcore\LimitLoginAttempts.php:129
filterlimit_login_whitelist_usernamescore\LimitLoginAttempts.php:130
filterlimit_login_blacklist_ipcore\LimitLoginAttempts.php:131
filterlimit_login_blacklist_usernamescore\LimitLoginAttempts.php:132
filterillegal_user_loginscore\LimitLoginAttempts.php:134
filterum_custom_authenticate_error_codescore\LimitLoginAttempts.php:135
actionadmin_noticescore\LimitLoginAttempts.php:140
actionadmin_print_scripts-toplevel_page_limit-login-attemptscore\LimitLoginAttempts.php:142
actionadmin_print_scripts-settings_page_limit-login-attemptscore\LimitLoginAttempts.php:143
actionadmin_print_scripts-index.phpcore\LimitLoginAttempts.php:144
actionadmin_initcore\LimitLoginAttempts.php:146
actionadmin_initcore\LimitLoginAttempts.php:147
actionlogin_footercore\LimitLoginAttempts.php:149
actionlogin_footercore\LimitLoginAttempts.php:151
actionwp_footercore\LimitLoginAttempts.php:152
actionwp_dashboard_setupcore\LimitLoginAttempts.php:155
actionlogin_form_registercore\LimitLoginAttempts.php:157
filterregistration_errorscore\LimitLoginAttempts.php:158
actioninitcore\LimitLoginAttempts.php:251
actionwp_login_failedcore\LimitLoginAttempts.php:259
filterwp_authenticate_usercore\LimitLoginAttempts.php:260
actionwp_logincore\LimitLoginAttempts.php:261
filtershake_error_codescore\LimitLoginAttempts.php:263
actionlogin_errorscore\LimitLoginAttempts.php:264
actionum_submit_form_errors_hook_logincore\LimitLoginAttempts.php:266
filtermepr_validate_logincore\LimitLoginAttempts.php:268
actionnetwork_admin_menucore\LimitLoginAttempts.php:271
actionnetwork_admin_menucore\LimitLoginAttempts.php:274
actionadmin_menucore\LimitLoginAttempts.php:278
actionadmin_bar_menucore\LimitLoginAttempts.php:281
actionadmin_menucore\LimitLoginAttempts.php:284
filterxmlrpc_login_errorcore\LimitLoginAttempts.php:288
actionwp_headcore\LimitLoginAttempts.php:291
actionauthenticatecore\LimitLoginAttempts.php:298
actionauthenticatecore\LimitLoginAttempts.php:299
actionauthenticatecore\LimitLoginAttempts.php:305
actionwp_logincore\LimitLoginAttempts.php:687
actionplugins_loadedlimit-login-attempts-reloaded.php:41
filterwp_kses_allowed_htmlviews\onboarding-popup.php:248
Maintenance & Trust

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 12, 2026
PHP min version
Downloads79.4M

Community Trust

Rating98/100
Number of ratings1,441
Active installs2.0M
Alternatives

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall Alternatives

VMP Security – Firewall, Malware Scan, and Login Security

VMP Security – Firewall, Malware Scan, and Login Security

vmpfence-security

A
100

Your all-in-one WordPress security solution. Stop hackers with our firewall, detect malware before it spreads, and protect your site.

0 No CVEs
Wordfence Security – Firewall, Malware Scan, and Login Security

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

A
96

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Anti-Malware Security and Brute-Force Firewall

Anti-Malware Security and Brute-Force Firewall

gotmls

B
83

This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.

100K 9 CVEs
Defender Security – Malware Scanner, Login Security & Firewall

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

A
96

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs
Developer Profile

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall Developer Profile

WPChef

3 plugins · 2.0M total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
643 days
View full developer profile
Detection Fingerprints

How We Detect Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/limit-login-attempts-reloaded/assets/css/login.css/wp-content/plugins/limit-login-attempts-reloaded/assets/css/styles.css/wp-content/plugins/limit-login-attempts-reloaded/assets/js/dist/app.js/wp-content/plugins/limit-login-attempts-reloaded/assets/js/login.js/wp-content/plugins/limit-login-attempts-reloaded/assets/js/vendors.js
Script Paths
/wp-content/plugins/limit-login-attempts-reloaded/assets/js/dist/app.js/wp-content/plugins/limit-login-attempts-reloaded/assets/js/login.js/wp-content/plugins/limit-login-attempts-reloaded/assets/js/vendors.js
Version Parameters
limit-login-attempts-reloaded/assets/css/login.css?ver=limit-login-attempts-reloaded/assets/css/styles.css?ver=limit-login-attempts-reloaded/assets/js/dist/app.js?ver=limit-login-attempts-reloaded/assets/js/login.js?ver=limit-login-attempts-reloaded/assets/js/vendors.js?ver=

HTML / DOM Fingerprints

CSS Classes
llar-login-formllar-login-wrapperllar_stats_widget
HTML Comments
<!-- LLAR --><!-- limit-login-attempts-reloaded -->
Data Attributes
data-llar-noncedata-llar-endpoint
JS Globals
llarlla_ajax_object
REST Endpoints
/wp-json/llar/v1/ajax_check_login
FAQ

Frequently Asked Questions about Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall