It is important to protect your WordPress website from brute-force attacks, and various security plugins exist in doing so. For the purpose of this article, I modified the WordPress Login Delay plugin with a fixed delay of three seconds for my wp-login.php page. This provides you with an easy to use method of protecting your WordPress login form (but do read the caveats!).

Brute-force protection?

As Jeff Atwood writes on his blog:

Limiting the number of login attempts per user is security 101. If you don’t do this, you’re practically setting out a welcome mat for anyone to launch a dictionary attack on your site, an attack that gets statistically more effective every day the more users you attract.

Go read his post on Dictionary Attacks 101 first.

WordPress Login Delay plugin

The following code can be used as a plugin, (create login-delay\login-delay.php), or in your THEME functions.php file.

<?php
/*
* Plugin Name: Saotn WordPress Login Delay
* Description: Saotn WordPress Login Delay plugin adds a three second delay 
*   when logging into WordPress. This slows down brute-force attacks on 
*   your website. However, it is not recommended to use sleep(), because 
*   a heavy brute-force attack will let all those POST requests sleep 
*   for the given amount of time.
* Original plugin name: WordPress Login Delay
* Original plugin URI: https://wordpress.org/plugins/wp-login-delay/
* Version: 1.0
* Author: Jan Reilink
* Author URI: https://www.saotn.org
* Original author: Michael Damoiseau 
* Original author URI: http://damoiseau.me
*/

if( !function_exists( 'saotn_auth_login' ) ) {
    function saotn_auth_login ( $user, $password ) {
        (int) $delay = 3;
        sleep( $delay );

        return $user;
    }
    add_filter( 'wp_authenticate_user', 'saotn_auth_login', 1, 2 );
}
?>

Here we use add_filter and wp_authenticate_user to add a simple delay to our WordPress login page.

This may interest you:   WordPress advisory: Akal premium theme XSS vulnerability & abandonded

Login delay caveats

A little note on something you have to keep in mind (and if you’ve read the code comments, you already know): It is not recommended to use sleep(); in your code. Simply because the PHP process sleeps for the time configured, making 1000 processes sleep for three seconds each during a 1000 requests brute-force attack.

It is better to only allow your IP address access to /wp-login.php, see my WordPress web.config for an example on IIS, or use a captcha protection.

The code is provided “as-is”, just to show you different angles of doing things differently than a lot of plugins do.