Free Forever v1.0.0 GPL-2.0+

Stop brute force attacks.
Require two-factor auth.
Ship with confidence.

LoginPlus is the login security layer every WordPress site installs first. Brute force lockouts, TOTP 2FA, Google social login, and a full audit log — all set up in 60 seconds with the one-click wizard.

No license key. No account. Works on WordPress 6.0+ with PHP 7.4+.

WordPress 6.0+Minimum version
PHP 7.4+PHP requirement
Self-hostedNo external API calls
SQLite + MySQLDatabase support
GDPR-readyIP hashing mode

See the plugin in action.

Scroll inside the frame to explore the full admin interface.

LoginPlus admin interface preview

Everything you need. Nothing you don’t.

Five security modules covering brute force, 2FA, social login, audit logging, and alerts — set up in one click.

🛡️

Brute Force Protection

Auto-lockout after N failed attempts per IP. IP allowlist for trusted addresses. Uses WordPress transients — no extra DB table, no cron required.

  • Configurable threshold & lockout duration
  • IP allowlist for trusted admins & offices
  • CF-Connecting-IP + X-Forwarded-For support
📱

Two-Factor Authentication

TOTP (RFC 6238) compatible with Google Authenticator, Authy, and 1Password. Email OTP fallback when no app is available. Pure PHP — zero external API calls.

  • QR code setup via user profile page
  • 8 single-use recovery codes
  • Email OTP fallback for non-TOTP users
🔐

Google Social Login

Let users sign in with Google via OAuth 2.0. Links to existing accounts by email, creates new accounts when none exist. Server-side token exchange only.

  • OAuth 2.0 Authorization Code flow
  • CSRF state token protection
  • Client secret encrypted at rest (AES-256)
🔍

Login Activity Logging

Complete audit trail of every login and failed attempt. Stored in a dedicated table with configurable retention and automatic WP-Cron cleanup.

  • User ID, username, IP, user agent, timestamp
  • Configurable retention (default 90 days)
  • GDPR mode: SHA-256 IP hashing
📧

Email Alerts

Admins receive instant notifications for security events. Rate-limited to prevent alert fatigue. Uses wp_mail() — no SMTP config needed.

  • New IP login alerts for admin accounts
  • Brute force threshold notifications
  • 1 alert per IP per hour (rate-limited)

One-Click Setup Wizard

After activation, a full-screen wizard walks through every option. Toggle what you want, click one button, and your site is protected.

  • Activates in 60 seconds flat
  • Safe defaults out of the box
  • Fully configurable from the admin panel

Up and running in 60 seconds.

The wizard handles everything. No config files, no SQL, no manual steps.

01

Install the plugin

Upload loginplus-1.0.0.zip via WP Admin → Plugins → Add New. Click Install, then Activate.

02

Run the wizard

LoginPlus redirects you to a full-screen setup wizard. Toggle what you want, then click “Save & Activate”.

03

You’re protected

Brute force protection, logging, and email alerts are live. The dashboard shows real-time activity.

Built the WordPress way.

LoginPlus extends WordPress security using native hooks. It never replaces wp-login.php, never patches core, and adds zero complexity to your authentication stack.

  • Hook-first design — all features run through authenticate, wp_login, and wp_login_failed filters
  • Transient-based lockouts — no custom DB table for brute force; auto-expires with WordPress’s built-in TTL
  • AES-256 encryption — 2FA secrets and OAuth credentials encrypted at rest using your site’s auth keys
  • Zero HTTP in the critical path — TOTP verification is pure PHP with no external calls during login
authenticate filter chain
// Priority 1
LP_Brute_Force::check_lockout()
// Priority 5
LP_2FA::handle_token_step()
// Priority 10
wp_authenticate_username_password (core)
// Priority 20
LP_Logger::log_success()
// Priority 30
LP_2FA::intercept_after_password()
LP_Email_Alerts::check_new_ip()

Ready to lock down your login page?

Free forever. One-click setup. No account required.

← Browse all plugins View source on GitHub →