WP-Safety

WP Limit Login Attempts Security & Risk Analysis

wordpress.org/plugins/wp-limit-login-attempts

Limit rate of login attempts and block IP temporarily. Brute force attack protection. GDPR compliant. Captcha enabled.

10K active installs v2.6.5 PHP 5.6+ WP 6.0+ Updated Aug 4, 2024
authenticationhackloginloginizersecurity
68
C · Use Caution
CVEs total2
Unpatched1
Last CVEDec 27, 2022
Plugin page Download
Safety Verdict

Is WP Limit Login Attempts Safe to Use in 2026?

Use With Caution

Score 68/100

WP Limit Login Attempts has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Dec 27, 2022Updated 1yr ago
Risk Assessment

The 'wp-limit-login-attempts' plugin version 2.6.5 presents a mixed security posture. On the positive side, the static analysis shows no identified dangerous functions, file operations, external HTTP requests, or raw SQL queries executed without prepared statements. The attack surface appears minimal with no exposed AJAX handlers, REST API routes, or shortcodes. However, significant concerns arise from the vulnerability history. With two known CVEs, one of which is critical and currently unpatched, the plugin has a history of serious security flaws, specifically SQL injection. The static analysis also reveals that only 17% of SQL queries use prepared statements, and importantly, none of the four output operations are properly escaped. This indicates a high risk of cross-site scripting (XSS) vulnerabilities.

Key Concerns

  • Unpatched critical vulnerability
  • Low percentage of prepared statements for SQL
  • No output escaping
  • History of SQL Injection vulnerabilities
Vulnerabilities
2

WP Limit Login Attempts Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2022 · unpatched
2022
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
1

2 total CVEs

CVE-2022-4303medium · 6.5Use of Less Trusted Source

WP Limit Login Attempts <= 2.6.4 - IP Spoofing to Protection Mechanism Bypass

Dec 27, 2022Unpatched
CVE-2015-6829critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Limit Login Attempts < 2.0.1 - SQL Injection

Sep 5, 2015 Patched in 2.0.1 (3062d)
Code Analysis
Analyzed Mar 16, 2026

WP Limit Login Attempts Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
1 prepared
Unescaped Output
4
0 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

17% prepared6 total queries

Output Escaping

0% escaped4 total outputs
Attack Surface

WP Limit Login Attempts Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 15
actionlogin_enqueue_scriptswp-limit-login-attempts.php:54
actionplugins_loadedwp-limit-login-attempts.php:55
actionlogin_initwp-limit-login-attempts.php:56
actionlogin_headwp-limit-login-attempts.php:107
actionwp_login_failedwp-limit-login-attempts.php:108
actionlogin_errorswp-limit-login-attempts.php:109
filterauthenticatewp-limit-login-attempts.php:110
actionadmin_initwp-limit-login-attempts.php:111
actionshutdownwp-limit-login-attempts.php:112
actionlogin_formwp-limit-login-attempts.php:349
actionlogin_footerwp-limit-login-attempts.php:358
actionadmin_noticeswp-limit-login-attempts.php:366
actionadmin_menuwp-limit-login-attempts.php:379
actionadmin_noticeswp-limit-login-attempts.php:431
actionadmin_initwp-limit-login-attempts.php:458
Maintenance & Trust

WP Limit Login Attempts Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedAug 4, 2024
PHP min version5.6
Downloads442K

Community Trust

Rating92/100
Number of ratings300
Active installs10K
Alternatives

WP Limit Login Attempts Alternatives

GuardianKey

GuardianKey

guardiankey

A
100

GuardianKey is a service to protect systems in real-time against authentication attacks. It implements GK Auth Security for login protection and GKTin &hellip;

20 No CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Loginizer

Loginizer

loginizer

A
87

Loginizer is a WordPress security plugin which helps you fight against bruteforce attacks.

1.0M 8 CVEs
Limit Login Attempts

Limit Login Attempts

limit-login-attempts

B
82

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

300K 3 CVEs
WPS Limit Login

WPS Limit Login

wps-limit-login

A
96

WPS Limit login limit connection attempts by IP address

100K 3 CVEs
Developer Profile

WP Limit Login Attempts Developer Profile

Arshid

6 plugins · 621K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
814 days
View full developer profile
Detection Fingerprints

How We Detect WP Limit Login Attempts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-limit-login-attempts/style.css/wp-content/plugins/wp-limit-login-attempts/js/main.js
Script Paths
//code.jquery.com/jquery-1.8.2.js

HTML / DOM Fingerprints

CSS Classes
popuppopup_boxcaptchacaptcha_form
Data Attributes
data-login_iddata-login_ipdata-login_attemptsdata-locked_time
JS Globals
popup_flag
FAQ

Frequently Asked Questions about WP Limit Login Attempts