What Limit Login Attempts Reloaded gets right
Limit Login Attempts Reloaded is one of the most trusted brute-force protection plugins on WordPress, installed on millions of sites. It caps how many failed logins an address can make before a lockout, keeps detailed logs of attempts, supports allowlists and denylists, is GDPR-conscious about the data it stores, and offers an optional cloud reputation network that shares known-bad IPs across sites. For dedicated login protection it is deep, mature, and free.
If brute-force defense is the specific job you are solving and you want detailed logs and a cloud reputation layer, it is an excellent, focused choice. Credit where it is due.
The difference: a brute-force plugin versus a command bar
Limit Login Attempts Reloaded is built end to end around one threat: repeated login guessing. That focus is its strength.
TrueCommander covers the same ground from the command bar. limit login attempts -max=5 sets the cap, the lockout window, and the lockout length; block ip and unblock ip manage bad addresses directly. Those sit in the same ++W bar that also hides the login URL, turns on maintenance mode, backs up the site, and runs the rest of the 91 commands, and any of them can run on startup or on a schedule.
In short: Limit Login Attempts Reloaded is a specialist. TrueCommander folds brute-force limiting and IP blocking into a broader security and admin toolkit you drive from the keyboard.
Shown in advanced mode, where commands start with tp. In easy mode you type the same command without the tp prefix.
Limit Login Attempts Reloaded vs TrueCommander, feature by feature
An honest side by side. They overlap on the lockout, and split on depth versus breadth.
| Feature | Limit Login Attempts Reloaded | TrueCommander |
|---|---|---|
| Cap failed logins with a lockout | limit login attempts | |
| Configurable attempts, window, and lockout length | -max -window -lockout | |
| Block and unblock specific IPs | Allow / deny lists | block ip |
| Detailed attempt logs and cloud reputation network | Its specialty | Limit and block, no shared cloud list |
| Hide the login URL | hide login | |
| Backups, image optimization, maintenance mode, more | 91 commands | |
| Apply on startup or via a keyboard shortcut | Settings page | |
| Price | Free on WordPress.org, paid premium tier | $59/year, everything included |
Limit Login Attempts Reloaded details are from its WordPress.org listing and change over time. Check the live listing for current features and pricing.
When Limit Login Attempts Reloaded is the right pick
Be honest about the job. Limit Login Attempts Reloaded is the better fit when:
- Brute-force defense is your single priority and you want the deepest dedicated tool for it.
- You rely on detailed attempt logs, allow and deny lists, or the shared cloud reputation network.
- You want a free, focused plugin and have other tools for backups and the rest.
When to choose TrueCommander
TrueCommander earns its place when login throttling is one layer of a bigger setup:
- You want the lockout plus a hidden login URL and IP blocking, without running separate plugins for each.
- You want it applied on startup automatically, set once from the command bar and enforced on every load.
- You would rather manage security beside backups, maintenance mode, and the rest of your admin work, all in one place.
Layered beats single-point. Capping attempts is one layer; hiding the login URL and blocking known-bad IPs are others. TrueCommander gives you all three from one bar, so the door is harder to reach and harder to force.
Frequently asked questions
limit login attempts -max=5 -window=900 -lockout=1800 caps failed logins, sets the counting window, and sets how long the lockout lasts, the same brute-force protection, configured from the command bar. You can disable it again with limit login attempts -disable=true.block ip -ip=1.2.3.4 blocks an address, and unblock ip reverses it (including unblock ip -all=true to clear everything). These can run on their own, inside a macro, or on a schedule.