Download: test-graphic-failed-logins-lockout.png

Downloading: test-graphic-failed-logins-lockout.png Brute force password attacks

b2evolution includes code to prevent brute force password attacks.

By default, if an (existing) user account receives 10 wrong passwords within 10 minutes, that account will be locked for 10 minutes. When the account is locked, even a login with the correct password will not work (otherwise it would not be an effective lock).

Once the lock times out and once the legitimate user logs in, he will see a report of the failed login attempts.

See _advanced.php for variables controlling this:

/**
 * If user tries to log in {$failed_logins_before_lockout} times
 * during the last {$failed_logins_lockout} seconds,
 * we refuse login (even if password is correct) and display that
 * the account is locked out until the above condition is no longer true.
 * If {$failed_logins_lockout} is set to 0, there will never be a lockout.
 */
$failed_logins_before_lockout = 10; // 10 times, Max is 197
$failed_logins_lockout = 600; // 10 minutes

Note: we block by user account, not by IP, because any serious attacker would use a botnet of 10 000+ IPs to deploy the attack. Blocking IPs would not be an effective security mesure.

Note: if your concern is to block annoying IPs that bloat your log files, or even DoS attacks, please use a solution at the webserver level.