security

WM Login Shield

Rate limiting, geo-blocking, and 2FA for wp-admin.

v1.1.0 Included Stable
View plans Talk to an engineer
Free
On all Wordimatic managed plans
$0
No license fees, ever
Auto
Updates maintained by Wordimatic
Open
Available to audit on request

wp-login.php is the most attacked URL on the internet. Every public WordPress site gets probed for weak credentials — it’s automated, constant, and largely invisible until it succeeds. WM Login Shield adds the three layers that stop the vast majority of attacks: rate limiting, two-factor authentication, and real-time lockout alerts.

Rate limiting tracks login attempts per IP and locks out the source after a configurable threshold (default: 5 failures in 10 minutes). Your own IP is automatically added to the allowlist on activation, so you can’t accidentally lock yourself out during setup. If you do find yourself locked out, defining WM_LOGIN_SHIELD_BYPASS in wp-config.php provides a recovery path without needing server access. Optional geo-blocking via the MaxMind GeoLite2 database (free license required) lets you restrict logins to specific countries if your user base is geographically predictable.

Two-factor authentication is self-service: users enrol a TOTP authenticator from their profile page and any standard TOTP app — Google Authenticator, Authy, 1Password — works immediately. Admins can mandate 2FA for specific roles, so you can require it for administrators and editors without forcing it on lower-privilege users. Every lockout triggers an email to the site admin with the IP, timestamp, and attempted username, giving you a real-time signal when an attack is in progress rather than finding out weeks later in a server log.

How it works

Three steps to up and running

1

Rate limiting

Login attempts are tracked per IP. After a configurable number of failures (default: 5 in 10 minutes), the IP is locked out for a configurable duration.

2

Two-factor authentication

Users can self-enrol TOTP 2FA from their profile. Admins can mandate 2FA for specific roles. Standard authenticator apps (Google Authenticator, Authy, 1Password) are supported.

3

Lockout notifications

When an IP is locked out, an email is sent to the site admin with the IP, timestamp, and username attempted. Admins can unblock IPs from the plugin's dashboard.

Key features

What's included

Configurable rate limiting
IP allowlist / denylist
TOTP two-factor authentication
Automatic lockout email notifications
Login attempt log
Use cases

Who it's for

  • Stop brute-force attacks on wp-login.php without relying on a WAF or hosting firewall.
  • Enforce 2FA for admin and editor roles on client sites as a baseline security requirement.
  • Get instant notifications when a login attack is in progress.
Requirements

Technical requirements

WordPress6.0+
PHP8.1+
WooCommerceNot required
Changelog

Version history

v1.1.0
2025-04-15
  • TOTP 2FA added for all user roles
  • Geo-blocking with MaxMind GeoLite2 support
  • IP allowlist/denylist management UI
v1.0.0
2025-01-08
  • Initial release
  • Rate limiting and lockout notifications
FAQ

Frequently asked questions

Does it block by country?

Optional geo-blocking is available using the MaxMind GeoLite2 database (free license key required). You can create an allowlist of permitted countries.

What if I lock myself out?

Your current IP is automatically added to the allowlist on activation. If locked out, you can recover access by defining WM_LOGIN_SHIELD_BYPASS in wp-config.php.

Is it compatible with WooCommerce's My Account login?

Yes. The plugin hooks into wp_authenticate and covers all WordPress login paths, including WooCommerce.

Get access

WordPress plugins, maintained by engineers.

Every Wordimatic managed plan includes our full plugin library — no license fees, no manual updates, no compatibility surprises.

View managed plans Contact us