How Brute Force Protection Works

How the Lockout System Works

The plugin uses WordPress transients to track failed login attempts on a per-IP basis. Here is the full flow:

1. A visitor enters wrong credentials — the wp_login_failed hook fires and the plugin records the failure against their IP.
2. The plugin counts attempts within the "attempt window" (default: 20 minutes). Attempts older than the window are discarded.
3. When the count reaches your "Max attempts" threshold (default: 5), the IP is locked out for the "Lockout duration" (default: 20 minutes).
4. During lockout, the authenticate filter returns an error before WordPress even checks the password, blocking further attempts.
5. On a successful login, all failure records for that IP are cleared immediately.

Configuration Options

• Max attempts before lockout — default 5. Lower this to 3 for stricter protection, or raise it if legitimate users on shared IPs are getting locked out.
• Lockout duration — default 20 minutes. The IP cannot attempt to log in during this period.
• Attempt window — default 20 minutes. The rolling window in which attempts are counted.
• Email admin on lockout — when enabled (Starter plan+), you receive an email each time an IP is locked out, including the IP address.

Cloudflare and Reverse Proxy Support

WP 1 Click LockDown reads the correct visitor IP even when your site is behind Cloudflare or a load balancer. It checks CF-Connecting-IP first, then HTTP_X_FORWARDED_FOR, then falls back to REMOTE_ADDR — ensuring lockouts target the real attacker IP, not your proxy.

If You Are Locked Out of Your Own Site

If you trigger the lockout accidentally, wait for the lockout duration to expire, or see our guide on recovering from a lockout via WP-CLI or phpMyAdmin.