WP Ghost with Limit Login Attempts Reloaded – Login Security Overlap and Configuration
October 18, 2021
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
WP Ghost (formerly Hide My WP Ghost) and Limit Login Attempts Reloaded (LLAR) are compatible but overlap heavily on login security. Both limit login attempts, block IPs after failed logins, and offer configurable lockout durations. WP Ghost already includes all of LLAR’s core features plus path security, firewall, 2FA, security headers, and more. If you use WP Ghost, LLAR is redundant. If you run both, enable login limits in one plugin only.
The Login Limiter Overlap
Limit Login Attempts Reloaded is a focused plugin that limits login attempts, blocks IPs after failed logins, offers configurable lockout timings, custom lockout messages, IP whitelisting/blacklisting, and XMLRPC protection. WP Ghost includes all of these features in its brute force protection module, plus reCAPTCHA (Math, Google V2/V3), protection on multiple form types (login, register, lost password, comments, WooCommerce), and 2FA with passkeys. Running both means double-processing every login attempt.
Recommended Configuration
Option A: Use WP Ghost for everything (recommended)
WP Ghost covers all of LLAR’s login features plus path security, 7G/8G firewall, security headers, country blocking, 2FA, text/URL/CDN mapping, and activity logs. You can deactivate LLAR and use WP Ghost alone.
Option B: Use LLAR for login limits, WP Ghost for everything else
If you prefer LLAR’s interface or its cloud-based premium features, disable WP Ghost’s brute force protection at WP Ghost > Brute Force. Use WP Ghost for path changes, firewall, security headers, and mapping. Use LLAR for login attempt limits and IP blocking.
Feature Comparison
| Feature Category | WP Ghost | LLAR |
|---|---|---|
| Path Security (wp-admin, login, plugins, themes, uploads, REST API) | Yes | – |
| 7G and 8G Firewall | Yes | – |
| Security Headers (HSTS, CSP, X-Frame-Options) | Yes | – |
| Two-Factor Authentication (Code, Email, Passkeys) | Yes | – |
| Brute Force Protection (login, register, lost password, comments, WooCommerce) | Yes | Login & XMLRPC only |
| Login Attempt Limits & Configurable Lockout | Yes | Yes |
| IP Blacklist / Whitelist | Yes | Yes |
| Custom Lockout Message | Yes | Yes |
| Google reCAPTCHA V2/V3 & Math reCAPTCHA | Yes | – |
| Country Blocking | Yes | – |
| Text, URL, and CDN Mapping | Yes | – |
| Cloud-Based IP Intelligence (Premium) | – | Yes |
| Activity Log & Email Alerts | Yes | Yes |
Frequently Asked Questions
Do I need LLAR if I use WP Ghost?
For most sites, no. WP Ghost includes login attempt limits, lockout timings, IP blocking, and reCAPTCHA. LLAR’s premium version adds cloud-based IP intelligence (shared blocklists across all LLAR users) — this is the only feature WP Ghost does not provide. If you need cloud IP intelligence, LLAR Premium adds value alongside WP Ghost.
Will both plugins conflict?
Yes, if both have login limits active. Both intercept failed login attempts and manage IP blocking independently. Double-processing can cause unexpected lockouts or conflicting ban lists. Enable login protection in one plugin only.
LLAR protects XMLRPC and WooCommerce logins. Does WP Ghost?
Yes. WP Ghost’s brute force protection covers the login form, registration, lost password, comments, and WooCommerce login. WP Ghost also lets you disable XMLRPC access entirely or whitelist specific services.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses rewrite rules and WordPress hooks. No core files modified. Deactivating restores all defaults.
Related Tutorials
Brute Force Protection – WP Ghost’s built-in login protection features.
Customize All WordPress Paths – features LLAR does not offer.
Header Security – security headers LLAR does not provide.
Compatibility Plugins List – all tested security plugins.
Website Security Check – verify your configuration.
