WP-Safety

Limit Login Attempts (Spam Protection) Security & Risk Analysis

wordpress.org/plugins/wp-limit-failed-login-attempts

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

200 active installs v5.6 PHP 7.2+ WP 4.6+ Updated Jun 15, 2025
anti-spamfirewalllogin-attemptsprotectionsecurity
92
A · Safe
CVEs total5
Unpatched0
Last CVEDec 5, 2024
Download
Safety Verdict

Is Limit Login Attempts (Spam Protection) Safe to Use in 2026?

Generally Safe

Score 92/100

Limit Login Attempts (Spam Protection) has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Dec 5, 2024Updated 9mo ago
Risk Assessment

The wp-limit-failed-login-attempts plugin, version 5.6, exhibits a mixed security posture. While it shows good practices in its use of prepared statements for SQL queries (57%) and proper output escaping (90%), several critical areas raise concern. The presence of 10 AJAX handlers, with a significant portion (4) lacking authentication checks, creates a substantial attack surface that could be exploited by unauthenticated users. Furthermore, the taint analysis reveals 4 high-severity flows with unsanitized paths, indicating potential vulnerabilities where user-supplied data could lead to unintended consequences if not properly handled. The plugin's vulnerability history, with 5 known CVEs including 1 critical and 3 high-severity, suggests a recurring pattern of security weaknesses, particularly around authorization, SQL injection, and the use of less trusted sources. The most recent vulnerability in late 2024 further reinforces the need for vigilance. While strengths are present, the combination of unprotected entry points and a history of significant vulnerabilities points to a moderate to high-risk profile that requires careful attention and prompt patching.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows with unsanitized paths
  • 5 total known CVEs (1 critical, 3 high)
  • Missing nonce checks on AJAX handlers
  • SQL queries not using prepared statements (43%)
  • Bundled libraries (DataTables, Select2)
Vulnerabilities
5

Limit Login Attempts (Spam Protection) Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
1 CVE in 2022
2022
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
High
3
Medium
1

5 total CVEs

CVE-2024-54234high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Limit Login Attempts <= 5.5 - Unauthenticated SQL Injeciton

Dec 5, 2024 Patched in 5.6 (44d)
CVE-2022-4534medium · 5.3Use of Less Trusted Source

Limit Login Attempts (Spam Protection) <= 5.3 - IP Address Spoofing to Protection Mechanism Bypass

Oct 7, 2024 Patched in 5.4 (1d)
CVE-2022-0787critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Limit Login Attempts (Spam Protection) <= 4.9.1 - Unauthenticated SQL Injection

Mar 2, 2022 Patched in 5.1 (692d)
WF-7d525c50-5911-4be6-a860-b48db619adba-wp-limit-failed-login-attemptshigh · 8.8Cross-Site Request Forgery (CSRF)

Limit Login Attempts (Spam Protection) <= 2.9 - Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation

Apr 22, 2021 Patched in 3.1 (1006d)
CVE-2021-24194high · 8.8Improper Authorization

Limit Login Attempts (Spam Protection) <= 2.8 - Missing Authorization to Arbitrary Plugin Installation/Activation

Apr 22, 2021 Patched in 2.9 (1006d)
Code Analysis
Analyzed Mar 16, 2026

Limit Login Attempts (Spam Protection) Code Analysis

Dangerous Functions
0
Raw SQL Queries
18
24 prepared
Unescaped Output
14
120 escaped
Nonce Checks
0
Capability Checks
4
File Operations
0
External Requests
3
Bundled Libraries
2

Bundled Libraries

DataTablesSelect2

SQL Query Safety

57% prepared42 total queries

Output Escaping

90% escaped134 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths
my_ajax_get_log_data (admin\log.php:26)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Limit Login Attempts (Spam Protection) Attack Surface

Entry Points10
Unprotected4

AJAX Handlers 10

authwp_ajax_WPLFLA_countriesadmin\countries.php:10
noprivwp_ajax_WPLFLA_countriesadmin\countries.php:11
authwp_ajax_WPLFLA_get_log_dataadmin\log.php:10
noprivwp_ajax_WPLFLA_get_log_dataadmin\log.php:11
authwp_ajax_WPLFLA_get_log_block_ip_dataadmin\logblockip.php:9
noprivwp_ajax_WPLFLA_get_log_block_ip_dataadmin\logblockip.php:10
noprivwp_ajax_WPLFLA_delete_log_block_ip_dataadmin\logblockip.php:11
authwp_ajax_WPLFLA_delete_log_block_ip_dataadmin\logblockip.php:12
authwp_ajax_WPLFLA_range_ipadmin\range_ip.php:10
noprivwp_ajax_WPLFLA_range_ipadmin\range_ip.php:11
WordPress Hooks 27
actionadmin_menuadmin\countries.php:8
actionadmin_enqueue_scriptsadmin\countries.php:9
actionwp_dashboard_setupadmin\dashboard_widget.php:8
actionadmin_menuadmin\log.php:8
actionadmin_enqueue_scriptsadmin\log.php:9
actionadmin_menuadmin\logblockip.php:7
actionadmin_enqueue_scriptsadmin\logblockip.php:8
actionadmin_footeradmin\menu.php:7
actionadmin_menuadmin\range_ip.php:8
actionadmin_enqueue_scriptsadmin\range_ip.php:9
actionadmin_initadmin\setting.php:8
actionadmin_print_stylesadmin\setting.php:285
actionadd_meta_boxes_login-attempts_page_WPLFLASTATISTICSadmin\statistics.php:8
actionadmin_menuadmin\statistics.php:10
actionadmin_enqueue_scriptsadmin\statistics.php:11
actionadmin_initfailed.php:24
actioninitfailed.php:31
filterplugin_row_metafailed.php:198
actionwp_login_failedlogin.php:23
actionlogin_initlogin.php:25
actionlogin_initlogin.php:27
actioninitlogin.php:29
actioninitlogin.php:30
actionlogin_footerlogin.php:231
actionlogin_messagelogin.php:232
actionlogin_messagelogin.php:459
actioninitlogin.php:508
Maintenance & Trust

Limit Login Attempts (Spam Protection) Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 15, 2025
PHP min version7.2
Downloads14K

Community Trust

Rating78/100
Number of ratings7
Active installs200
Alternatives

Limit Login Attempts (Spam Protection) Alternatives

SpamShieldX

SpamShieldX

automatic-break-iframes

A
100

SpamShieldX is the ultimate solution for protecting your WordPress website from spam and iframe abuse. Our plugin blocks malicious iframes and prevent &hellip;

10 No CVEs
Bunkr Solution

Bunkr Solution

bunkr-solution

A
100

Advanced bot protection for WordPress using real-time behavioral analysis. Blocks malicious traffic while allowing legitimate users seamless access.

0 No CVEs
NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall

NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall

ninjafirewall

A
100

A true Web Application Firewall to protect and secure WordPress.

100K 1 CVE
Titan Anti-spam & Security

Titan Anti-spam & Security

anti-spam

A
98

Block spam comments, defend against login attempts, and strengthen site security with anti-spam, brute-force protection, and two-factor authentication &hellip;

60K 3 CVEs
Stop Spammers Classic

Stop Spammers Classic

stop-spammer-registrations-plugin

A
89

A simplified, restored, and preserved version of the original Stop Spammers plugin.

30K 8 CVEs
Developer Profile

Limit Login Attempts (Spam Protection) Developer Profile

wp-buy

13 plugins · 355K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
900 days
View full developer profile
Detection Fingerprints

How We Detect Limit Login Attempts (Spam Protection)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-limit-failed-login-attempts/assets/css/style.css/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/chart.js/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/common.js/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/dashboard.js/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/login.js/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/statistics.js
Script Paths
/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/chart.js/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/common.js/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/dashboard.js/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/login.js/wp-content/plugins/wp-limit-failed-login-attempts/assets/js/statistics.js
Version Parameters
wp-limit-failed-login-attempts/assets/css/style.css?ver=wp-limit-failed-login-attempts/assets/js/chart.js?ver=wp-limit-failed-login-attempts/assets/js/common.js?ver=wp-limit-failed-login-attempts/assets/js/dashboard.js?ver=wp-limit-failed-login-attempts/assets/js/login.js?ver=wp-limit-failed-login-attempts/assets/js/statistics.js?ver=

HTML / DOM Fingerprints

CSS Classes
WPLFLA_countries_PROpluginrows-rate-stars
HTML Comments
<!-- Plugin Name: Limit Login Attempts (Spam Protection) --><!-- Description: Limit the number of retry attempts when logging in per IP. Fully customizable and easy to use. --><!-- Version: 5.6 --><!-- Author: wp-buy -->+6 more
Data Attributes
data-role="login-attempt-form"data-login-attempt-ajax="true"data-security-token="[token]"
JS Globals
WPLFLA_options_pageWPLFLA_load_textdomain_proWPLFLA_check_some_other_pluginWPLFLA_install_proWPLFLA_create_table_proWPLFLA_create_table_range_ip_pro+4 more
FAQ

Frequently Asked Questions about Limit Login Attempts (Spam Protection)