HackBlocker
Stop Malicious Login Attempts in Their Tracks
HackBlocker is a lightweight, plug-and-play WordPress security plugin designed to block unauthorised login attempts, safeguard against brute-force attacks, and keep a detailed record of both blocked attempts and successful logins. By adding an extra layer of protection to your wp-login.php, HackBlocker helps site owners focus on growth – not on security breaches.
| Compatibility | WordPress 5.0 +, PHP 7.4 + |
|---|---|
| Prerequisites | MySQL, WP‐Cron enabled |
From £49.00
NO RISK - 14 day money back guarantee
KEY FEATURES
Automatic Username & IP Blocking
Hackblocker instantly blocks login attempts for usernames that don’t exist and automatically bans the originating IP address after a failed attempt.
Safe-List Configuration
Easily add your admin and trusted users’ IPs and usernames to a safe-list to prevent accidental lockouts.
Detailed Logging
Record up to 100 entries each of:
- Blocked usernames (with timestamps)
- Blocked IP addresses
- Successful logins (username, IP, timestamp)
Admin Dashboard
View and manage logs directly in the WordPress admin: clear logs, unblock IPs, and export data if needed.
Lightweight & Dependency-Free
No third-party services or heavy firewall solutions—just simple, standards-based PHP hooked into WordPress core.
Brute-force protection
IP safe-lists & blacklists
Real-time logging
GDPR-compliant
The Benefits of Using HackBlocker
REDUCE BRUTE-FORCE ATTACKS
Automated blocking dramatically cuts down on repeated login attempts from malicious actors.
PREVENT USERNAME ENUMERATION
GAIN VISIBILITY
Detailed logs give you clear insights into who’s trying (and succeeding) to log in, so you can spot patterns and adjust your security policies.
MINIMISE ADMINISTRATIVE OVERHEAD
All management happens in your existing WordPress dashboard—no need for server-level tools or custom scripts.
FAST SETUP
14-DAY MONEY BACK GUARANTEE
Give it a try and if it’s not for you, we’ll refund your purchase. T&Cs apply.
How HackBlocker Works
- Login Attempt: A user submits credentials via wp-login.php.
- Non-existent Username Check: If the username isn’t in the database (and not on your safe-list), HackBlocker logs the attempt and bans the username and IP.
- Safe-List Bypass: Administrators and trusted IPs bypass blocking logic to avoid lockouts.
- Logging: Every blocked attempt and every successful login is recorded with username, IP, and timestamp.
- Dashboard Controls: Review logs, clear entries, and unblock IPs as needed – all from the HackBlocker admin menu.
FAQ
Does HackBlocker work with WordPress Multisite?
Unfortunately, HackBlocker is designed for single-site WordPress installations only. It cannot be network-activated across a Multisite (network) setup. If you wish to protect multiple subsites, you’ll need to install and activate HackBlocker individually on each one.
We’re exploring full Multisite support in a future release – if this is critical for your workflow, please get in touch so we can discuss timelines and potential workarounds.
How do I renew my licence?
You’ll receive an email reminder 30 days before your licence expires, with a renewal link. Simply follow that link to renew for another year at your current rate. If you miss the reminder, you can also log in to your account dashboard on apps-and-plugins.co.uk and click Renew Licence next to HackBlocker.
What types of attacks does HackBlocker protect against?
HackBlocker guards against:
- Brute-force login attempts (rapid username/password guessing)
- XML-RPC pingbacks (common WordPress attack vector)
- Invalid username probes (stops bots trying default/weak usernames)
All blocked attempts are logged for your review.
What is the lockout threshold for failed login attempts and non-existent usernames?
HackBlocker enforces a strict one-strike policy: any failed login – whether an incorrect password for a valid account or an attempt with a non-existent username – will immediately block that IP address. All blocked attempts (including the attempted username, IP and timestamp) are kept in a rolling log of your 100 most recent entries under Tools → HackBlocker Logs.
Why block on first failure (including bogus usernames)?
This approach not only stops brute-force attacks dead in their tracks but also prevents “username enumeration” tactics – where attackers probe your site for valid account names. By cutting off all failed attempts instantly, you significantly reduce malicious traffic and preserve server resources.
Will HackBlocker impact my site’s performance?
HackBlocker is built for efficiency: all security checks run at the PHP level with no external API calls, and there’s no extra database overhead beyond logging. In our internal tests on a typical WordPress installation, we observed no noticeable impact on page-load times. Of course, actual performance can vary depending on your hosting environment, theme and other active plugins – but in almost every case, HackBlocker runs completely transparently.
How do I view blocked attempt logs?
All blocked login attempts are recorded in Tools → HackBlocker in your WordPress dashboard. There you can scroll through the most recent 100 entries, each showing timestamp, IP and attempted username
Single-Site Licence
£49
+VAT
Annually
Three-Site Licence
£79
+VAT
Annually
Ten-Site Licence
£149
+VAT