Thanks for commenting, Mike. It’s definitely true that a lack of recent updates is often a warning sign for plugins, but there are exceptions.

The major exception is when a plugin does something very simple and hooks into a very stable piece of WordPress core. In those cases, years can pass without the plugin needing any sort of updates, because nothing about its environment is changing and because it’s already doing its very limited job perfectly. That’s the situation with Limit Login Attempts.

If you need further convincing: It’s on 2+ million sites and has 4.5 stars in the plugin repo, including numerous recent reviews. I’m pretty sure that the Scriptaculous WordPress installer script even gives you a checkbox option to install it as its only recommended plugin. So there are indicators of trust you can use beyond just update recency.

Age is just a number. 🙂 The plugin is extremely widely used and works great – it simply hasn’t needed an update in a good bit.

Great article, you might want to check out BruteGuard which is a cloud powered brute force protection plugin. It’s 100% free and creates a network of sites that protect each other in a smart way.