Brute Force IP/Login Restriction not working

I’ve installed an activity log plugin ( and notice many Brute Force attacks trying to login with a wrong combination of user id/passwords. The user IDs used for these attacks don’t belong to any of the subscribers. I have like 20 attacks in a row that come from the same IP every time and there is an attack every minute.

In Brute Force IP/Login Restrictions the setting is: “allow 3 failed attempts login (then punish for 30 minutes)”. So after the third attempt, that user ID/IP should be punished for 30 minutes: but this doesn’t happen, since the 4th and following attempts happen just one minute later.

I also set Unique IP Access Restriction to 5 IPs per customer every 30 days with 30 minutes of punishment, and restricted the simultaneous logins to 2.

The other plugin I use that could be related (but which doesn’t have a similar function) is User Blocker (

I tried to reset the logs, but nothing changed. Any suggestion? Thank you!

No WordPress plug-in that blocks attacks can prevent the attack…just reduce the CPU processing of the attack and prevent brute-force login. You will see all the attack requests in your activity logs unless you block the IP address at the operating system level (which you can do via cPanel).