Add a delay to your WordPress login form


Or why *not* to add a delay … ! It is important to protect your WordPress website from brute-force attacks, and various security plugins exist in doing so. For the purpose of this article, I modified the WordPress Login Delay plugin with a fixed delay of three seconds for my wp-login.php page. This provides you with an easy to use method of protecting your WordPress login form (but do read the caveats!).

Brute-force protection?

As Jeff Atwood writes on his blog:

Limiting the number of login attempts per user is security 101. If you don’t do this, you’re practically setting out a welcome mat for anyone to launch a dictionary attack on your site, an attack that gets statistically more effective every day the more users you attract.

Go read his post on Dictionary Attacks 101 first.

WordPress Login Delay plugin

The following code can be used as a plugin, (create login-delay\login-delay.php), or in your THEME functions.php file.

* Plugin Name: Saotn WordPress Login Delay
* Description: Saotn WordPress Login Delay plugin adds a three second delay 
*   when logging into WordPress. This slows down brute-force attacks on 
*   your website. However, it is not recommended to use sleep(), because 
*   a heavy brute-force attack will let all those POST requests sleep 
*   for the given amount of time.
* Original plugin name: WordPress Login Delay
* Original plugin URI:
* Version: 1.0
* Author: Jan Reilink
* Author URI:
* Original author: Michael Damoiseau 
* Original author URI:

if( !function_exists( 'saotn_auth_login' ) ) {
    function saotn_auth_login ( $user, $password ) {
        (int) $delay = 3;
        sleep( $delay );

        return $user;
    add_filter( 'wp_authenticate_user', 'saotn_auth_login', 1, 2 );
?>Code language: PHP (php)

Here we use add_filter and wp_authenticate_user to add a simple delay to our WordPress login page. Please read the description carefully.

Login delay caveats

A little note on something you have to keep in mind (and if you’ve read the code comments, you already know): It is not recommended to use sleep(); in your code. Simply because the PHP process sleeps for the time configured, making 1000 processes sleep for three seconds each during a 1000 requests brute-force attack.

It is better to only allow your IP address access to /wp-login.php, see my WordPress web.config for an example on IIS, or use a captcha protection.

The code is provided “as-is”, just to show you different angles of doing things differently than a lot of plugins do.

foto van Jan Reilink

About the author

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily SysOps/DevOps thing at cldin. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x