Login Delay Shield
Login Delay Shield slows down brute-force attacks by adding a configurable delay to failed login attempts while keeping successful logins instant.
4.4(5 reviews)
·80 active installs·Updated 5 days agoAs of April 2026, Login Delay Shield is a WordPress login plugin with 80 active installations and a 4.4/5 rating from 5 reviews. It has been downloaded 4.5K+ times in total. Requires WordPress 3.5.1+ and PHP 7.4+. Available on WordPress.org since 2013. Actively maintained — updated within the last month. Top alternative: WPS Hide Login.
4.4/55 reviews
80active installs
4.5K+total downloads
13 yearssince 2013
Overview
WordPress is one of the most widely used content management systems on the internet, making it a frequent target for bots and hackers attempting brute-force attacks.
A brute-force attack works by systematically trying passwords until finding the correct one. Login Delay Shield defends against this by adding a configurable delay after each failed login attempt. Since successful logins are never delayed, legitimate users experience no slowdown. This approach is particularly effective against bots that send thousands of login requests, as each failed attempt forces the attacker to wait before trying the next password.
Features:
- Login delay — Fixed or random delay on failed login attempts (1-10 seconds)
- Progressive delay — Delay increases with each consecutive failed attempt from the same IP …
Screenshots
Ratings & Reviews
4.45 reviews
5 ★
4
4 ★
0
3 ★
0
2 ★
1
1 ★
0
Compatibility
| WordPress | 3.5.1+ requiredTested up to 6.9.4 |
| PHP | 7.4+ required |
Top Alternatives to Login Delay Shield
Frequently Asked Questions
Changelog
2.2.3
Complete Custom Login URL runtime, Trend Analytics queries, and bug fixes.
New Features:
* Custom Login URL runtime — custom slug now fully functional with login, logout, lost password, and password reset all routed through the custom URL.
* Custom Login URL admin UI — settings card with enable/disable toggle, slug input, status badge, and tooltip help.
* Trend Analytics query functions — wldelay_get_top_ips(), wldelay_get_top_usernames(), and wldelay_get_daily_attempts() for dashboard trend data.
Bug Fixes:
* Fixed double wp_unslash() on login username that could corrupt usernames with literal backslashes.
* Fixed wp_login_url filter name (was wp_login_url, should be login_url) preventing URL rewriting.
* Fixed canonical redirect leaking custom login slug via 302 when /wp-login.php is accessed through the front controller.
* Fixed login_init blocking internal WordPress paths (e.g. /wp/wp-login.php) used for legitimate auth redirects.
Improvements:
* Expanded reserved slug list with wp-json, wp-content, wp-includes, wp-signup, wp-activate, xmlrpc, feed, robots, sitemap.
* Replaced production wldelay_unlock_current_ip_should_exit filter with WP_TESTS_DOMAIN constant check — no longer exposes a testability surface in production.
* Wrapped Custom Login URL section titles in esc_html__() for i18n completeness.
* Added Custom Login URL to the protection features summary box.
* Added Playwright end-to-end tests for full Custom Login URL verification.
Contributors
Plugin data sourced from WordPress.org. Analysis and metrics by PluginSift.