WP-Safety

Login Lockdown & Protection Security & Risk Analysis

wordpress.org/plugins/login-lockdown

Protect, lockdown & secure login form by limiting login attempts from the same IP & banning IPs.

100K active installs v2.15 PHP 5.2+ WP 4.0+ Updated Dec 3, 2025
block-logincaptchafirewallloginprotect-login
92
A · Safe
CVEs total5
Unpatched0
Last CVEDec 12, 2025
Plugin page Download
Safety Verdict

Is Login Lockdown & Protection Safe to Use in 2026?

Generally Safe

Score 92/100

Login Lockdown & Protection has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Dec 12, 2025Updated 4mo ago
Risk Assessment

The login-lockdown v2.15 plugin presents a mixed security posture. On the positive side, it demonstrates good practices with 100% proper output escaping and 100% of SQL queries utilizing prepared statements. The absence of file operations, external HTTP requests, and bundled critical libraries is also encouraging. However, significant concerns arise from the static analysis. The plugin has a single unprotected AJAX handler, representing a direct entry point without proper authentication or authorization checks. This is a critical oversight that attackers could potentially exploit.

The vulnerability history reveals a pattern of past security issues, including SQL injection and missing authorization, which aligns with the findings of an unprotected AJAX handler. While there are currently no unpatched CVEs, the prevalence of past vulnerabilities and the presence of unsanitized paths in the taint analysis suggest potential weaknesses that may have been historically exploited or could be in the future if not addressed. The large number of past medium-severity vulnerabilities, specifically mentioning missing authorization, reinforces the risk associated with the unprotected AJAX handler.

In conclusion, while the plugin employs some good security practices like proper output escaping and prepared statements, the unprotected AJAX handler is a significant and immediate risk. The historical pattern of vulnerabilities, particularly those related to authorization and SQL injection, further elevates concerns. It is crucial to address the unprotected AJAX endpoint to mitigate the most immediate threat and to ensure that past vulnerabilities are thoroughly understood and mitigated to prevent recurrence.

Key Concerns

  • Unprotected AJAX handler found
  • No nonce checks on AJAX handlers
  • Vulnerability history with past SQL injection
  • Vulnerability history with missing authorization
  • Taint analysis with unsanitized paths
  • Bundled DataTables library
Vulnerabilities
5

Login Lockdown & Protection Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2025-11707medium · 5.3Use of Insufficiently Random Values

Login Lockdown & Protection <= 2.14 - IP Block Bypass

Dec 12, 2025 Patched in 2.15 (1d)
CVE-2025-3766medium · 5.4Missing Authorization

Login Lockdown & Protection <= 2.11 - Missing Authorization to Authenticated (Subscriber+) Arbitrary IP Whitelisting

May 6, 2025 Patched in 2.12 (1d)
CVE-2024-1340medium · 5.4Missing Authorization

Login Lockdown – Protect Login Form <= 2.08 - Missing Authorization

Feb 9, 2024 Patched in 2.09 (12d)
CVE-2023-50837medium · 6.6Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Login Lockdown – Protect Login Form <= 2.06 - Authenticated(Administrator+) SQL Injection

Dec 21, 2023 Patched in 2.07 (33d)
WF-09773141-883b-40e3-bd20-d3115c02e023-login-lockdownhigh · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Login Lockdown <= 2.06 - Authenticated (Administrator+) SQL Injection

Nov 21, 2023 Patched in 2.07 (63d)
Code Analysis
Analyzed Mar 16, 2026

Login Lockdown & Protection Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
52 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

DataTables

Output Escaping

100% escaped52 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
tab_basic (interface\tab_login_form.php:37)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Login Lockdown & Protection Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_loginlockdown_run_toolloginlockdown.php:112
WordPress Hooks 18
actionadmin_menuloginlockdown.php:93
filterplugin_row_metaloginlockdown.php:97
filteradmin_footer_textloginlockdown.php:98
actionwp_dashboard_setuploginlockdown.php:100
actionadmin_initloginlockdown.php:103
actionadmin_enqueue_scriptsloginlockdown.php:106
actionadmin_action_loginlockdown_install_wp301loginlockdown.php:109
actionlogin_formloginlockdown.php:114
actionwoocommerce_login_formloginlockdown.php:115
actionwp_login_failedloginlockdown.php:117
filterlogin_errorsloginlockdown.php:118
filterauthenticateloginlockdown.php:121
actionplugins_loadedloginlockdown.php:164
actioninitloginlockdown.php:165
actionadmin_initwf-flyout\wf-flyout.php:27
actionadmin_enqueue_scriptswf-flyout\wf-flyout.php:73
actionadmin_headwf-flyout\wf-flyout.php:74
actionadmin_footerwf-flyout\wf-flyout.php:75
Maintenance & Trust

Login Lockdown & Protection Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 3, 2025
PHP min version5.2
Downloads1.9M

Community Trust

Rating86/100
Number of ratings60
Active installs100K
Alternatives

Login Lockdown & Protection Alternatives

Captchinoo, admin login page protection with Google recaptcha

Captchinoo, admin login page protection with Google recaptcha

captchinoo-captcha-for-login-form-protection

A
98

Want to verify that your website users are not bots with a very simple way with one click installation? you need Captchinoo Captcha plugin!!

300 2 CVEs
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Security Optimizer – The All-In-One Protection Plugin

Security Optimizer – The All-In-One Protection Plugin

sg-security

A
86

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs
SiteGuard WP Plugin

SiteGuard WP Plugin

siteguard

B
76

SiteGurad WP Plugin is the plugin specialized for the protection against the attack to the management page and login.

600K 1 unpatched
Developer Profile

Login Lockdown & Protection Developer Profile

WebFactory

28 plugins · 3.5M total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
699 days
View full developer profile
Detection Fingerprints

How We Detect Login Lockdown & Protection

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/login-lockdown/libs/admin.php/wp-content/plugins/login-lockdown/libs/setup.php/wp-content/plugins/login-lockdown/libs/utility.php/wp-content/plugins/login-lockdown/libs/functions.php/wp-content/plugins/login-lockdown/libs/stats.php/wp-content/plugins/login-lockdown/libs/ajax.php/wp-content/plugins/login-lockdown/interface/tab_login_form.php/wp-content/plugins/login-lockdown/interface/tab_activity.php+6 more

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Login Lockdown & Protection