Lightweight login security with IP blocking, automatic URL change, and email alerts.
BlockForce WP is a lightweight yet powerful security plugin designed to protect your WordPress login page from brute-force attacks. It combines persistent IP blocking, automatic login URL changing, and detailed activity logging into a simple, easy-to-use package.
| Feature | Description |
|---|---|
| 🛡️ Brute Force Protection | Automatically blocks IPs after failed login attempts |
| 🔒 Persistent Blocking | Blocks stored in database, survives cookie clears |
| 🔄 Auto URL Change | Automatically changes login URL when attacks persist |
| 📋 Activity Log | Detailed log of all login attempts with pagination |
| 📧 Email Alerts | Get notified when your login URL changes |
| 👻 Stealth Mode | Default wp-login.php redirects to 404 when custom URL active |
| 📊 Dashboard Widget | Quick security overview on your dashboard |
| ❤️ Site Health | Plugin status in WordPress Site Health |
| 🔧 Granular Reset | Reset specific components without losing all data |
🔒 BlockForce WP (top-level menu)
├── 📊 Overview — Login status & blocked IPs
├── 📋 Activity Log — Browse login attempts
├── ⚙️ Settings — Configure protection options
└── 🔧 Reset & Tools — Granular reset options
- Upload the plugin to
/wp-content/plugins/blockforce-wp - Activate through the 'Plugins' screen
- Navigate to BlockForce WP in the admin sidebar
| Setting | Description | Default |
|---|---|---|
| Maximum Failed Attempts | Attempts before triggering protection | 2 |
| IP Block Duration | How long to block malicious IPs | 120 seconds |
| Attack Monitoring Window | Window for tracking persistent attacks | 7200 seconds |
| Enable IP Blocking | Block IPs after failed attempts | Enabled |
| Enable Auto URL Change | Change URL on persistent attacks | Enabled |
| Security Alert Email | Email for notifications | Admin email |
- Clear Activity Logs — Remove all login records
- Clear Blocked IPs — Unblock all IP addresses
- Clear Attempt Tracking — Reset login counters
- Reset Login URL — Restore default wp-login.php
- Full Reset — All of the above (settings preserved)
Method 1: Wait it out Block duration expires automatically (default: 2 minutes)
Method 2: Unblock via database
DELETE FROM wp_options WHERE option_name = 'bfwp_blocked_YOUR.IP.ADDRESS';Replace YOUR.IP.ADDRESS with your actual IP (e.g., 192.168.1.100)
Method 3: Reset secret login URL
DELETE FROM wp_options WHERE option_name = 'blockforce_login_slug';This restores the default wp-login.php
Method 4: Disable via FTP
Rename /wp-content/plugins/blockforce-wp to blockforce-wp-disabled
Check your email for the notification, or go to BlockForce WP → Overview.
BlockForce WP focuses on login protection and should work with most security plugins. Test in staging first.
- WordPress 5.0+
- PHP 7.4+
- MySQL 5.6+ or MariaDB 10.0+
GPLv2 or later. See LICENSE.
RahulPalXDA
⭐ If you find this plugin useful, please consider giving it a star!