Login Delay Shield

FAQ

How does this plugin protect my site?

When a bot attempts a brute-force attack, it tries thousands of passwords as fast as possible. By adding a delay (even just 1 second) after each failed attempt, the attack becomes impractical. A one-second delay is barely noticeable to legitimate users but makes a huge difference when multiplied across thousands of attempts.

Where are the plugin settings?

Go to Settings > Login Delay Shield

What is progressive delay?

Progressive delay increases the wait time with each consecutive failed attempt from the same IP address. For example, the first failure might delay 1 second, the second failure 2 seconds, and so on. This makes repeated attacks increasingly slow.

How does IP lockout work?

After a configurable number of failed attempts (default: 10), the IP address is temporarily blocked from logging in. The lockout duration is also configurable (default: 60 minutes). This stops persistent attackers in their tracks.

How do I whitelist my own IP?

Enable the IP whitelist feature and add your IP address (or a range using CIDR notation like 192.168.1.0/24). Whitelisted IPs bypass all delays and lockouts, ensuring you never lock yourself out.

Should I block XML-RPC?

If you don’t use the WordPress mobile app or remote publishing tools like Windows Live Writer, blocking XML-RPC authentication removes a common attack vector. You can also choose to just apply delays without blocking it entirely.

How do email notifications work?

When enabled, the plugin tracks failed login attempts per IP address. Once the threshold is reached (default: 5 attempts), an email is sent to alert you. The counter resets after one hour of no failed attempts from that IP.

Where can I see failed login attempts?

A dashboard widget shows the 10 most recent failed login attempts, including the time, username attempted, IP address, and whether it came from wp-login or XML-RPC.

Is the admin interface accessible?

Yes! Login Delay Shield follows WCAG 2.1 accessibility guidelines. All settings are fully keyboard navigable, screen reader compatible, and include proper ARIA attributes. Collapsible sections can be toggled with Enter or Space keys, tooltips appear on focus (not just hover), and all dynamic changes are announced to assistive technologies.

Does this plugin work better with an object cache?

For high-traffic sites or sites experiencing frequent attacks, we recommend using a persistent object cache like Redis or Memcached.

The plugin uses WordPress transients to track failed login attempts and lockouts per IP address. By default, transients are stored in the database. During a distributed brute-force attack (many IPs), this can create additional database queries.

With an object cache installed:

• Transient reads/writes go to memory instead of the database
• Much faster performance under attack conditions
• Reduced database load

Popular object cache plugins: Redis Object Cache, W3 Total Cache, LiteSpeed Cache.

Most managed WordPress hosts (WP Engine, Kinsta, Flywheel) include object caching by default.

What languages are supported?

Login Delay Shield is translated into 18 languages:

• English (default)
• Arabic (العربية)
• Chinese Simplified (简体中文)
• Czech (Čeština)
• Dutch (Nederlands)
• French (Français)
• German (Deutsch)
• Indonesian (Bahasa Indonesia)
• Italian (Italiano)
• Japanese (日本語)
• Korean (한국어)
• Polish (Polski)
• Portuguese – Brazil (Português do Brasil)
• Russian (Русский)
• Spanish (Español)
• Swedish (Svenska)
• Thai (ไทย)
• Turkish (Türkçe)
• Vietnamese (Tiếng Việt)

The plugin automatically uses your site’s language setting. Want to help translate into another language? Visit translate.wordpress.org.