Brute-force attacks are the most common type of automated attack on WordPress websites today. Bots try to log in to your WordPress dashboard with stolen credentials. One attack can trigger hundreds or even thousands of login attempts. 

In the worst-case scenario, hackers may manage to gain access to your WordPress. At the very least, these failed login attempts place a high load on your website. Our Login protection feature, previously called RB Login Protector, stops such attacks by using a mechanism already known from various plugins: Limit Login Attempts.

(Please note: you do not need to install the plugin Limit Login Attempts for this feature to work)

How does the login protection feature work?

Set up login protection

Turn off login protection

How can I prevent locking out my own IP?

The login protection is placed in front of your WordPress login area and blocks IP addresses that repeatedly try to log in with incorrect credentials. In your Box settings, you can define exactly how many login attempts are permitted before the IP is blocked and how long the lockout should last.

Your own IP may also be blocked if more attempts are registered by the system than are allowed in the settings. If this happens, the following error message will be shown on your next attempt:

"Your IP address has been banned from this site or you are not allowed to access this page."

The Login protection options can be found in the Security menu of your Box settings.

The two buttons at the top of the login protection settings allow you to show all locked-out IPs and reset the attempt counter. The counter reset effectively empties your blocklist and all IPs can make login attempts again. If you want to only unblock individual IPs, select the IPs first in the list and then click on the Reset attempt counter button.

You can set the number of permitted login attempts an IP can make and how long IPs are blocked for in the settings.

If you want to, you can also create a list of IPs here that should never be blocked. This function can be helpful if you, or any of WordPress users, are prone to locking yourself out.

If you activate email notifications, we'll send you an email every time an IP address has been blocked. Please note: brute-force attacks are extremely common and you may receive many emails from us when you activate notifications.

Disabling login protection poses a big security risk to your site. Without login protection, our server can no longer monitor your WordPress login area and brute-force attacks are more likely to succeed. Please consider these risks carefully before turning off login protection.

A strong and secure password is essential for the security of your WordPress site. But the criteria for a strong password, e.g. upper and lower case, numbers and special characters, minimum length of 7 characters, can make it harder to enter a valid password during login and you can end up locking out your own IP through failed attempts. We've developed a single sign-on feature so you can have both a secure and complex password and easy access to your site's WordPress. We explain how to use it in this article: Single sign-on (SSO).

In addition to login protection, you can use our Website access feature to secure your login area even further.