What is Login Cooldown and how does it work?
The Login Cooldown option is a part of the Login Protection feature. It's like a bouncer who will only let 1 person in at a time, and within a certain period of time.
So, for example, if you set your login cooldown to be 5 seconds (default), only 1 user may attempt to log into your site within 5 seconds.
That is to say, regardless of whether or not login details are correct, whoever that user is (administrator or otherwise), as soon as the login procedure for WordPress is triggered, the login cooldown starts.
During the Login Cooldown period:
- All attempts to log into the site during the cooldown period will be rejected
- WordPress wont even have the chance to check login user credentials - the login process will be rejected immediately.
- The logging in user will be given a notice to say how long they must wait before attempting to login again.
Note: Valid or Invalid login attempts trigger the cooldown period - so if you successfully login, another user will still have to wait for the cooldown period to finish before being able to attempt a login.
What does this option protect me from?
It protects your site from brute force login attacks as it completely blocks large-scale attempts to log into the site.
Applications of this option
This option should be always enabled! There is no reason not to have a cooldown period, if only even for 1 second.
Depending on the number of users or type of WordPress site you run, you may need to tweak this setting a little to get a timing that works best for you.
To learn more about the Login Protection feature, read this article here.
We also recommend you to read