WordPress Plugin — Free & Open Source

Your login. Guarded.

Gatorio stops brute-force attacks before WordPress even processes them. Lightweight. No database. No tracking. Made in Europe.

Download Free How it works

GPL-2.0-or-later · PHP 8.0+ · WordPress 6.0+

5 attempts

before lockout

15 minutes

lockout duration

1s delay

per login attempt

0 tables

database changes

The problem

Bots never stop trying.

Every WordPress site is a target. Automated scripts run thousands of login attempts per hour — testing common passwords, leaked credentials, and dictionary attacks, around the clock, every day.

WordPress has no built-in protection. Without a guard, an attacker can test 10,000 passwords in a matter of minutes.

Without Gatorio

Unlimited login attempts
No delay between tries
XML-RPC multicall exposed
Usernames publicly enumerable

With Gatorio

5 attempts, then 15 min lockout
1-second delay on every try
XML-RPC fully disabled
REST user endpoint blocked
Works with WooCommerce & caching

Features

Built with precision.
Nothing more.

Pre-auth Check

Blocks attackers before WordPress authenticates. Zero wasted server resources.

IP Hashing

IPs stored as SHA-256 + NONCE_SALT. No plain text. No personal data.

Smart Lockout

5 failed attempts triggers a 15-minute lockout. Stored in wp_options, cache-independent.

Login Delay

1-second sleep on every attempt. Harmless for humans. Devastating for bots.

XML-RPC Disabled

Multicall attacks blocked at the filter level. One line, zero overhead.

No Enumeration

REST API /wp/v2/users blocked for unauthenticated requests.

Zero Dependencies

Pure WordPress core hooks only. No composer, no libraries, no bloat.

No Database Tables

Uses wp_options with cache bypass. No custom tables, no migrations, compatible with all caching plugins.

Under the hood

Three layers.
One file.

wp-login.php or WooCommerce login

Pre-auth block

init hook (priority 0) — before everything

Lockout check

≥ 5 attempts → WP_Error, 15 min

Authenticate

authenticate filter (priority 100)

IP hash lookup

sha256 + NONCE_SALT → wp_options

Sleep 1s

every attempt — bot slowdown

WordPress auth

only if all checks pass

Installation

Up in 60 seconds.

Download

Get the latest release from Codeberg or the WordPress Plugin Directory.

codeberg.org/Sichtelement/gatorio →

Upload & Activate

In WordPress Admin go to Plugins → Add New → Upload Plugin, select the zip, activate.

Via WP-CLI

Or install directly from the command line:

wp plugin install gatorio --activate

Manual FTP

Upload the gatorio folder to your plugins directory:

/wp-content/plugins/gatorio/gatorio.php

That's it.

No configuration required. Gatorio is active immediately after activation. Default settings are sane and production-ready out of the box.

Requires WordPress 6.0+ and PHP 8.0+

Privacy & Trust

Privacy is not
a feature.
It's the foundation.

No plain-text IPs. All IPs are hashed with SHA-256 and your site's unique NONCE_SALT before storage.
No external requests. Gatorio never calls external APIs, sends telemetry, or loads remote resources.
No persistent data. Lockout data is stored in wp_options and automatically cleaned up after expiry. No logs, no history.
GDPR compliant. No personal data stored in identifiable form. No consent banner needed for this plugin.
Made in Europe. Developed and maintained in the EU, under EU standards and values.

Made in Europe

GPL-2.0 Open Source

No Tracking

GDPR Compliant

Open Source

Read every line.
Fork it. Audit it.

Gatorio is fully open source under GPL-2.0. No hidden functionality, no obfuscation, no surprises. Every decision is visible in the code.

View on Codeberg

// Pre-auth block — init hook, priority 0, before everything
add_action( 'init', [ $this, 'pre_auth_block' ], 0 );

// IP hash — SHA-256 + NONCE_SALT, never plain text
return hash( 'sha256', $ip . NONCE_SALT );

// 1-second delay — every attempt, no exceptions
sleep( 1 );

FAQ

Questions.

: Only when submitting the login form. A 1-second wait is imperceptible to a human — but it reduces an attacker's speed by 1000×. Testing 1,000 passwords now takes at least 1,000 seconds minimum.
: After 5 failed attempts, the IP receives a clear error message stating how many minutes remain. The lockout expires automatically — no manual cleanup required.
: Gatorio uses REMOTE_ADDR, not forwarded headers. This is intentional — headers like X-Forwarded-For can be spoofed. If your server is behind a trusted reverse proxy, configure PHP or your web server to set the correct REMOTE_ADDR.
: No. Gatorio tracks only an attempt counter per hashed IP. No usernames, no passwords, no timestamps, no logs. The data expires automatically with the transient.
: XML-RPC allows bundling hundreds of authentication requests into a single HTTP call (multicall). This bypasses attempt-counting entirely. Gatorio disables XML-RPC at the filter level. If a specific integration requires it, you can remove that filter.
: Yes. Gatorio uses an init hook at priority 0 — this runs before WordPress authentication and before WooCommerce or any other plugin can interfere. Lockout data is stored in wp_options with explicit cache bypass (wp_cache_delete), making it compatible with all caching plugins including Redis, Memcached, WP Rocket, and W3 Total Cache.
: Yes. The version you are using is permanently free and open source under GPL-2.0. A Pro version with additional comfort features is planned — but core security will always remain free.

Protect your login.
Right now.

Free. Open source. 60-second install. No account required.

Download Gatorio Free