In this article we'll walk you through installing the Max Failed Login Attempts plugin for Joomla to help combat a brute force attack on your website.

By default your Joomla installation will require a correct username and password to be entered before allowing access to the administrative section of your website. A malicious user or bot could try to keep logging in to your website again and again using combinations of common usernames and passwords to try to break in. This is called a brute force attack or sometimes referred to as brute forcing their way in.

What the Max Failed Login Attempts plugin will allow you to configure is the amount of failed login attempts you'd like to permit before blocking that user from further attempts for a set duration of time, and then it can e-mail you when this is triggered as well.

Now unfortunately this isn't true brute force protection based on IP address blocking, because if the attacker is trying to login to the admin user for instance and then hits your login limit, they could then just start trying a different user like admin2 to get in. So they could potentially still use up a lot of server resources as they try to break into your site, but this plugin would at least make that process much more difficult for them to actually gain access, and also you could be alerted in the meantime to then go in and manually block their IP address from being allowed to return to your website.

  1. Login to your Joomla admin dashboard.
  2. Click on Extension Manager.
    click-on-extension-manager
  3. The plugin itself can be found on the Joomla extension site at:

    http://extensions.joomla.org/extensions/access-a-security/site-access/login-restriction/20032

    You'll want to right-click on the Download link on that page, and then select Copy link address.

    click-on-copy-link-address
  4. With the URL to the file download now in your clipboard, return to the Joomla Extension Manager and paste it into the Install URL field and then click on Install
    paste-url-click-install
  5. You should now get a success message letting you know the plugin has been successfully installed, and a notice to be sure to enabled it.
    installing-plugin-successful
  6. From the top Extensions menu, select Plug-in Manager.
    click-on-plug-in-manager
  7. Next click on the Authentication - Limit Failed Logins link from the left-hand column.
  8. Now you can cofigure the plugin's options.

    Change the Status to Enabled.

    Change the Ordering to 0 Order First

    Then fill in the rest of the fields based on the settings you'd like to use.

    You might want to change the default Contact when disabling the account setting to Do not contact the user, just disable their account. so that only you are getting notified of these blocks.

    Then enter in your e-mail address in the BCC field, to receive e-mail notices when an account has been blocked. Finally click on Save & Close.

    enter-plugin-settings-click-save-and-close
  9. Now if you tried to login using invalid credentials, you'll first just get the normal failed login message.
    login-failed-not-blocked

    Hitting the login limit threshold that you've set for the first time you'll get your blocked message you setup.

    login-failed-blocked

    Trying to login to the account after it's been blocked you'll then get your already blocked message you setup.

    login-failed-blocked-twice

    You should also receive an e-mail alerting you of the user that has been disabled, and the IP address they were trying to connect with.

  10. Now if it was a valid user that simply forgot their password, they would just need to wait the set amount of time that you set before their account will be re-enabled. If you notice the same IP is getting blocked trying to access multiple users, or the same one again after it's been un-blocked, you can then use the IP Deny Manager in cPanel to block them permanently from trying to access your website again.

Manually un-block a user

If you accidentally block yourself or you know a valid user has done this to themselves you can go ahead and un-block that user manually on your own instead of waiting for the timer to expire.

  1. Pull up your Joomla MySQL database in phpMyAdmin.
  2. In the left hand column, click on your jos_users table.
    click-on-jos-users
  3. Now click on Edit beside the user that has been blocked.
    click-on-edit-of-user-row
  4. In the block field, change the 1 to 0, then click on Go at the bottom left.
    change-block-to-0-click-on-go

You should now know how to install the Max Failed Login Attempts plugin for Joomla, and also how to un-ban users manually yourself if you don't want to wait for the timer to expire.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Joomla Community Google+ Hangout #3

June 3rd, 2014

Thank you @RustyJoomla for letting me speak on the Joomla Community Google+ Hangout!

Click here to watch!

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!