Add a delay to your WordPress login form

Photo of author
Written By Jan Reilink

Windows Server systems administrator & enthusiast.

Or why *not* to add a delay … ! It is important to protect your WordPress website from brute-force attacks, and various security plugins exist in doing so. For the purpose of this article, I modified the WordPress Login Delay plugin with a fixed delay of three seconds for my wp-login.php page. This provides you with an easy to use method of protecting your WordPress login form (but do read the caveats!).

Brute-force protection?

As Jeff Atwood writes on his blog:

Limiting the number of login attempts per user is security 101. If you don’t do this, you’re practically setting out a welcome mat for anyone to launch a dictionary attack on your site, an attack that gets statistically more effective every day the more users you attract.

Go read his post on Dictionary Attacks 101 first.

WordPress Login Delay plugin

The following code can be used as a plugin, (create login-delay\login-delay.php), or in your THEME functions.php file.

<?php if( !function_exists( 'saotn_auth_login' ) ) { function saotn_auth_login ( $user, $password ) { (int) $delay = 3; sleep( $delay ); return $user; } add_filter( 'wp_authenticate_user', 'saotn_auth_login', 1, 2 ); } ?>
Code language: PHP (php)

Here we use add_filter and wp_authenticate_user to add a simple delay to our WordPress login page. Please read the description carefully.

Login delay caveats

A little note on something you have to keep in mind (and if you’ve read the code comments, you already know): It is not recommended to use sleep(); in your code. Simply because the PHP process sleeps for the time configured, making 1000 processes sleep for three seconds each during a 1000 requests brute-force attack.

It is better to only allow your IP address access to /wp-login.php, see my WordPress web.config for an example on IIS, or use a captcha protection.

The code is provided “as-is”, just to show you different angles of doing things differently than a lot of plugins do.

Did you like: Add a delay to your WordPress login form

Then please, take a second to support Sysadmins of the North and donate!

Your generosity helps pay for the ongoing costs associated with running this website like coffee, hosting services, library mirrors, domain renewals, time for article research, and coffee, just to name a few.

Hi! Join the discussion, leave a reply!