WP Ghost and Limit Login Attempts Reloaded (LLAR) are fully compatible and complement each other. LLAR is one of the most popular WordPress login protection plugins, focused specifically on rate-limiting login attempts and blocking IPs after failed logins. WP Ghost is a comprehensive hack-prevention plugin that focuses on attack surface reduction by changing WordPress paths and adding firewall rules. Running both together gives you defense in depth: WP Ghost prevents bots from finding the login form in the first place, while LLAR catches brute-force attempts that reach the login URL directly.
Why Use Both Plugins Together
Limit Login Attempts Reloaded focuses on one security task: rate-limiting login attempts and blocking IPs that exceed the threshold. It’s a specialist tool with over 2 million active installations. WP Ghost takes a broader approach: it uses server-level rewrite rules to make WordPress paths invisible to bots, plus the 7G/8G firewall, security headers, brute force protection on multiple forms, 2FA with passkeys, and country blocking. Together, WP Ghost makes sure most bots can’t find the login URL at all, and LLAR catches any brute-force attempts that target the login form directly via the standard WordPress login page or XML-RPC.
What Limit Login Attempts Reloaded Provides
LLAR is a focused login protection plugin. Its core strengths are login rate-limiting and IP management:
- Login attempt limiting – blocks IP addresses after a configurable number of failed login attempts via wp-login, XML-RPC, WooCommerce, and custom login pages.
- Configurable lockout – set lockout duration, max retries, and escalating lockout time for repeat offenders.
- IP safelist and blocklist – manually allow or block specific IPs or IP ranges.
- Lockout log – tracks blocked login attempts with IP, username, and timestamp.
- GDPR compliance – tools for handling IP logging in GDPR-compliant ways.
LLAR is a focused login security plugin. It does not handle path security for plugins, themes, or uploads, and it doesn’t include a firewall, security headers, 2FA, country blocking, or any of the broader WordPress security tasks that WP Ghost covers.
What WP Ghost Provides
WP Ghost is a hack-prevention plugin focused on attack surface reduction:
- Path security – changes wp-admin, wp-login, wp-content, plugins, themes, uploads, and other WordPress paths so bots can’t find them.
- 7G/8G Firewall – blocks malicious requests at the rewrite layer before WordPress loads.
- Security headers – HSTS, CSP, X-Frame-Options, X-XSS-Protection, and other browser-level security headers.
- SQL and script injection prevention – blocks common injection patterns at the request level.
- Country blocking – geographic access control by country.
- 2FA and Magic Links – additional authentication factors including code, email, and passkey methods.
- Brute force protection – rate limiting on login, register, lost password, and comment forms with reCAPTCHA support.
Recommended Configuration
LLAR and WP Ghost overlap on login brute force protection. The recommended approach is to let one plugin handle login rate-limiting and the other handle everything else.
Enable in WP Ghost:
- All path security features (login, admin, wp-content, plugins, themes, uploads, REST API).
- 7G/8G Firewall.
- Security headers (HSTS, CSP, X-Frame-Options).
- Country blocking (if needed).
- 2FA with passkeys.
- Brute force protection on register, lost password, and comment forms (LLAR doesn’t cover these).
- Hide WordPress common paths and files.
Enable in LLAR:
- Login attempt limiting (its core feature and main reason to keep it).
- Lockout log for monitoring brute-force activity.
- GDPR compliance tools (if applicable to your region).
Avoid duplication: Both plugins can limit login attempts. Pick one to handle this – using both may cause confusing double-lockout behavior where IPs get blocked by both plugins simultaneously with different lockout times. If you keep LLAR for login limiting, disable WP Ghost’s login brute force protection. Or disable LLAR entirely and let WP Ghost handle all brute force across login, register, lost password, comments, and WooCommerce forms in one place.
Feature Comparison
Use this comparison to decide which plugin should handle each feature on your site:
| Feature Category | LLAR | WP Ghost |
|---|---|---|
| Path Security (wp-admin, login, plugins, themes, uploads, REST API) | – | Yes |
| 7G and 8G Firewall | – | Yes |
| Security Headers (HSTS, CSP, X-Frame-Options) | – | Yes |
| Country Blocking | – | Yes |
| Two-Factor Authentication (Code, Email, Passkeys) | – | Yes |
| Magic Link Login & Temporary Logins | – | Yes |
| Limit Login Attempts (wp-login, XML-RPC, WooCommerce) | Yes | Yes |
| Brute Force on Register, Lost Password, Comments | – | Yes |
| reCAPTCHA (Math, V2, V3) | – | Yes |
| Cloud IP Blocklist (shared malicious IP database) | Premium | – |
| IP Safelist / Blocklist | Yes | Yes |
| Disable XML-RPC | Yes | Yes |
| Text, URL, and CDN Mapping | – | Yes |
| GDPR Compliance Tools | Yes | – |
| Activity Log & Email Alerts | Lockout log | Yes |
Frequently Asked Questions
Will WP Ghost and Limit Login Attempts Reloaded conflict?
They can conflict on login limiting if both are active. Both plugins limit failed login attempts – using both means double-lockouts with potentially different lockout times. Pick one plugin to handle login limiting and disable it in the other. The rest of the features don’t overlap at all.
Do I need LLAR if I have WP Ghost?
Probably not. WP Ghost includes its own login attempt limiting plus much more: brute force protection on register, lost password, and comment forms, reCAPTCHA, 2FA with passkeys, and full path security. LLAR’s only unique features are its cloud IP blocklist (Premium) and GDPR compliance tools. If you don’t need those, WP Ghost alone covers all login protection and significantly more.
I already have LLAR installed. Should I keep it?
If you’re adding WP Ghost to a site that already has LLAR, you have two options. Option 1: keep LLAR for login limiting and use WP Ghost for everything else (path security, firewall, headers, 2FA, etc.) – just disable WP Ghost’s login brute force to avoid double-lockouts. Option 2: disable LLAR entirely and let WP Ghost handle all brute force protection across all forms. Option 2 is simpler and reduces plugin count.
What about LLAR’s cloud protection feature?
LLAR Premium’s cloud protection blocks known malicious IPs from a shared database before they even reach the login form. WP Ghost doesn’t have this specific feature, but WP Ghost’s approach is different: instead of blocking known bad IPs, WP Ghost makes the login URL invisible so bots can’t find it at all. Combined with WP Ghost’s 7G/8G firewall and country blocking, most malicious traffic is blocked before it reaches the login form regardless.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce, and LLAR protects WooCommerce login pages too. Both plugins can protect WooCommerce login forms, so use only one for this to avoid conflicts.
Does WP Ghost modify WordPress core files?
No. WP Ghost writes rewrite rules to .htaccess (Apache) or hidemywp.conf (Nginx) and uses WordPress hooks for application-level changes. No core files are modified. Deactivating WP Ghost restores all defaults instantly.
Related Tutorials
WP Ghost compatibility with other security plugins:
- WP Ghost and Wordfence – Configuration guide for both plugins.
- WP Ghost and Solid Security – Configuration guide for both plugins.
- WP Ghost and WP Cerber – Configuration guide for both plugins.
- WP Ghost and Loginizer – Another login protection plugin comparison.
- Compatible Plugins List – All security plugins tested with WP Ghost.