WordPress Login Security: the free AIFORYA extension
Protect WordPress login: brute-force defense, two-factor authentication and magic links. Free extension, no API key, no time limit.

Lock down the WordPress login page, with no API key or external service.
AIFORYA Login Security protects the most attacked page on your site — the login screen — with the essential security tools: brute-force blocking, IP address lists, two-factor authentication and passwordless login. The core of the extension works locally, with no API key, and stays free with no time limit.
- Free and complete: published on WordPress.org, with no crippled features on the essentials of protection.
- Local by design: brute-force defense, 2FA and IP lists trigger no network calls.
- Open standards: TOTP two-factor authentication compatible with every free authenticator app.
Why protect the login specifically?
The login page is the default entry point of any WordPress site, and therefore the number-one target of automated attacks. Thousands of password attempts can be launched each day against wp-login.php without you noticing, until the day one of them succeeds. A strong password is no longer enough: you need to slow down attacks, lock out abusive addresses and add a second barrier that an attacker can't cross with a simple stolen credential.
Existing solutions often reserve these features for their paid version, or drown them in a heavy security suite that slows down the whole site and sends your logs to third-party servers. AIFORYA Login Security focuses on the login, keeps processing local, and leaves the key features available for free.
What the extension does
- Brute-force protection — temporary blocking of an IP address after a configurable number of failures, with an optional progressive lockout whose duration increases with each new block.
- IP address lists — a blacklist to block and a whitelist to always allow, managed from the admin.
- Two-factor authentication (2FA / TOTP) — the open RFC 6238 standard, compatible with Google Authenticator, Authy, FreeOTP and any TOTP app, with single-use backup codes.
- Passwordless login — the user receives a secure, signed, single-use link by email, with a limited validity period.
- Login log — a local history of successful logins, failures, blocks and 2FA validations, with configurable automatic purge.
- Security dashboard — key indicators and a 7-day activity chart, with no external dependency.
- Uniform error messages — an anti-enumeration option so as not to reveal whether a username exists.
How it does better than competing free extensions
| AIFORYA Login Security | Common free extensions | |
|---|---|---|
| Two-factor authentication | Included (TOTP + backup codes) | Often reserved for the paid version |
| Passwordless login | Included (signed magic links) | Rarely offered for free |
| Dashboard and log | Local, 7-day activity | Logs frequently sent to the cloud |
| Progressive lockout | Included and configurable | Fixed-duration blocking only |
| API key / account | None for the core | Sometimes required |
Privacy and technical honesty
The core of the extension makes no network calls. Two transparent exceptions: passwordless login emails go through WordPress's native mail function (wp_mail), and an optional Support/Reviews tab can, only at your initiative and after explicit consent, send your message to the AIFORYA service. Nothing is sent without a deliberate action on your part.
Installation in 2 minutes
- Download the extension shown here (or install it from WordPress.org).
- Activate it from the Plugins menu.
- Open the AIFORYA Login Security menu, set up brute-force protection in the Protection tab, then enable two-factor authentication for your account.
Your login page is protected the moment you activate it, and you then strengthen each layer at your own pace.
Questions fréquentes
Historique des mises à jour
- v1.0.1
Minor fixes and stability improvements.
- v1.0.0
Initial release: brute-force protection with progressive lockout, IP blacklist and whitelist, TOTP two-factor authentication with backup codes, passwordless login via magic links, login log and security dashboard, uniform anti-enumeration error messages.
Une question ? Contactez-nous.