The Login Cooldown feature is like a bouncer who will only let 1 person in at a time, and within a certain period of time.
So if you set your login cooldown to be 60 seconds, only 1 user may attempt to log into your site within 60 seconds.
That is to say, regardless of whether or not login details are correct, whoever that user is (administrator or otherwise), as soon as the login procedure for WordPress is triggered, the login cooldown starts.
During the Login Cooldown period:
All attempts to log into the site during the cooldown period will be rejected
- WordPress wont even have the chance to check login user credentials - the login process will be rejected immediately.
- The logging in user will be given a notice to say how long they must wait before attempting to login again.
Note: Valid or Invalid login attempts trigger the cooldown period - so if you successfully login, another user will still have to wait for the cooldown period to finish before being able to attempt a login.
What does this feature protect me from?
It protects your site from brute force login attacks as it completely blocks large-scale attempts to log into the site.
Applications of this feature
This feature should be always enabled! There is no reason not to have a cooldown period, if only even for 1 second.
Depending on the number of users or type of WordPress site you run, you may need to tweak this setting a little to get a timing that works best for you.
To learn more about the Login Cooldown read the blog article here.