There is pne for Wordpress https://wordpress.org/plugins/wp-limit-login-attempts/ but don't know about adapting it

You could try to block his IP
See here:
https://b2evolution.net/man/ip-ranges

@zebulon Thank you for your advice. I blocked the IP range after I noticed that there was this accumulation of login attempts.
But I don't want anyone to be able to launch such attacks. After all, I don't know how careful some users are when choosing their login data. And there happened really very sophisticated attacks that seem to run through algorithms.

Therefore a limitation of the login attempts would be important to increase security.

O.K.
Than you probably want to prevent these attempts on the server level.
For example block the IP in the firewall, or (if you use a linux server) try fail2ban which can detect suspicious behavior and block a IP automatically.
I than also recommend to force users to use more secure passwords. See here:
https://b2evolution.net/man/registration-security-settings

@zebulon fail2ban comes very close. However, I have b2e running on a shared host and I can only make limited server settings, it would be better if there could be a b2e feature.

I see,
In that case something integrated into b2evo makes sense. For example to allow 3 attempts to fail and one has to wait for ca. 3 minutes to try again.
Maybe another option is to use the GeoIP plugin and check the country people come from. Than block those countries where you know you do not have a user base. This could only help to a certain extend obviously.

There's code at https://coderwall.com/p/dc2bbg/limit-login-attemps

@amoun would be great to hear, whether this code works in b2e without causing mess or security problems (I am no coder)

@saunders I had replied to say I was in no hurry to look at the code and thought someone more adept and with head space may have a look. However I'm about to have a quick look but I think I'll quickly turn to look for help, that's as long as i can get started. :) Don't wait up for me lol

@saunders After a quick look I'm not sure about it and am looking at https://wordpress.org/plugins/limit-login-attempts/

If I continue with it I'll make a new post under https://forums.b2evolution.net/b2evolution-support-area/plugins-extensions/

All the best

b2evo already does this (since 2013).

In conf/_advanced.php:

/**
 * If user tries to login 10 times during X seconds we refuse login (even if password is correct)
 * If set to 0, then there is never a lockout
 */
$failed_logins_lockout = 600; // 10 minutes

Ha! I've just tried messing with the Wordpress plugin :)

1. Can the number of login attempts be modified and
2. Can a secondary stop be implemented as mentioned in the topic earlier

a) three times with a 20 min disable
b) three more times on the next set of three 20 hours disable.

I suppose there's code somewhere that sets this up

Thanks for the direction

My Version 6.10.5

@saunders Given the directions to modify the time login is disabled via [conf/advanced.php] Line 734 by @fplanque I have now found where to set the number of login attempts [/inc/_init_login.ic.php] Line 196. It is set from 0 to 9 so that's ten attempts, I'm setting mine to 2 which should work on the third attempt.
if( $failed_logins_lockout > 0 && count( $login_attempts ) == 9 )

@fplanque Better to have a plugin that is user friendly and that won't get overridden by updates.

@fplanque and @amoun,

Cool!

The plugin I have been looking will also block IPs if the same one is used to invoke the lock, say 3 x 3 times.

Features

Limit the number of retry attempts when logging in (for each IP). Fully customizable
Limit the number of attempts to log in using auth cookies in same way
https://wordpress.org/plugins/limit-login-attempts/

@amoun - it does not work as hoped and intended. In _advanced.php I set the number of trials to 4 until login should pause for 10 minutes. But in my test I could try 15 times and may be more. Nothing happens. And after all those trials to login I could login when filling the correct phrases.
May be that the intended feature does not work. Please try it yourself.

As I understood @fplanque it should not be possible to try to login - at least - for 55000 times using one IP address within a day. But it happened.

Please test, if it works for you
Thanks

See screenshot:

@saunders wrote earlier:

@amoun - it does not work as hoped and intended. In _advanced.php I set the number of trials to 4 until login should pause for 10 minutes. But in my test I could try 15 times and may be more. Nothing happens. And after all those trials to login I could login when filling the correct phrases.
May be that the intended feature does not work. Please try it yourself.

As I understood @fplanque it should not be possible to try to login - at least - for 55000 times using one IP address within a day. But it happened.

Please test, if it works for you
Thanks

@saunders Given the directions to modify the time login is disabled via [conf/advanced.php] Line 734 by @fplanque I have now found where to set the number of login attempts [/inc/_init_login.ic.php] Line 196. It is set from 0 to 9 so that's ten attempts, I'm setting mine to 2 which should work on the third attempt.
if( $failed_logins_lockout > 0 && count( $login_attempts ) == 9 )

Modifying [_advanced.php] sets the time locked out not the number of tries that in [/inc/_init_login.ic.php]

@saunders

Modifying [_advanced.php] sets the time locked out not the number of tries
$failed_logins_lockout = 600; // 10 minutes

Set the number of tries in [/inc/_init_login.ic.php]
if( $failed_logins_lockout > 0 && count( $login_attempts ) == 2 )

I get this. And if I try with the correct password after 10 wrong passwords, I can't log in.

In the hit log though, blocked login attempts are still logged as login attempts.

I did this - set it to 4 attempts. but without any effect. (if( $failed_logins_lockout > 0 && count( $login_attempts ) == 4 ))

I can't confirm that mod is correct. I can only vouch for the original code.

@fplanque I tried to login at b2evolution about 20 times in a row and obliviously there was not break. You can check this by a look into your analytics. My IP is 77.118.29.135 at about 09:15 (MEZ).

It does not even work using: http://demo2.b2evolution.net/stable/index.php?disp=login&redirect_to=%2Fstable%2Findex.php%3Fblog%3D1%26disp%3Dfront&return_to=%2Fstable%2Findex.php%3Fblog%3D1%26disp%3Dfront&source=menu%20link

I tried it on a different installation on a different host and also there I was able to try 20+times to login.
I have never customized or manipulated code which could have affected that.

I am using 6.10.4 and haven't changed anything in the code.
Works like it has been explained by @fplanque

After 10 failed attempts the account is locked for 10 minutes. Within this 10 minutes even the correct password isn't accepted.
But I can still login from the same IP in another account with the correct password.

So this would mean that the account is locked for a while but it is not the case that the IP is blocked from preventing to do other attempts on other accounts.

It is a bit odd that a 'targeted user' is locked out of his account though it is not his fault but a hackers attempt.

@fplanque wrote earlier:

I can't confirm that mod is correct. I can only vouch for the original code.

The only difference, as I said in the earlier post #14, is I changed the 9 for a 2 and it works fine on the third attempt to login
Version 6.10.5 [/inc/_init_login.ic.php] Line 196.

@saunders I can only think some syntax error crept in. Here's the code with a 2 as I am using in version 6.10.5

if( $User )
		{ // Check user login attempts
			$login_attempts = $UserSettings->get( 'login_attempts', $User->ID );
			$login_attempts = empty( $login_attempts ) ? array() : explode( ';', $login_attempts );
			if( $failed_logins_lockout > 0 && count( $login_attempts ) == 2 )
			{ // User already has a maximum value of the attempts
				$first_attempt = explode( '|', $login_attempts[0] );
				if( $localtimenow - $first_attempt[0] < $failed_logins_lockout )
				{ // User has used 2 attempts during X minutes, Display error and Refuse login
					$login_error = sprintf( T_('There have been three failed login attempts. This account is locked for %s minutes.'), ceil( $failed_logins_lockout / 60 ) );
				}
			}
		}

OK Problem arising.

Yesterday it all worked as expected, then after @saunders failed use as in post #17, I though AH! maybe it only works with know user names and otherwise will go on for ever. Protecting only users accounts etc.

So I tried [abcdef] for both user namer and password and it didn't work, adding to my theory. So I then used a friends known user name and now that doesn't lock out either with a random password: so I am bemused and will carry on investigating.

EDIT UPDATE
I thought I'll try logging in properly, to see if that shook something up, which was fine and it did.As then I used my friend's user name and this time it worked useing [abcdef] as password,and I receive the message that the account was logged out on the third attempt.

Screenshot on next post

Will try all agian later this evening, it's sunny here so I want to work on the land. Bye

@saunders wrote earlier:

@fplanque I tried to login at b2evolution about 20 times in a row and obliviously there was not break. You can check this by a look into your analytics. My IP is 77.118.29.135 at about 09:15 (MEZ).

It does not even work using: http://demo2.b2evolution.net/stable/index.php?disp=login&redirect_to=%2Fstable%2Findex.php%3Fblog%3D1%26disp%3Dfront&return_to=%2Fstable%2Findex.php%3Fblog%3D1%26disp%3Dfront&source=menu%20link

I tried it on a different installation on a different host and also there I was able to try 20+times to login.
I have never customized or manipulated code which could have affected that.

Did you use the same wrong password 20 times or did you change it 20 times?

I just followed your link. With 10 different wrong passwords it blocks.

@zebulon wrote earlier:

It is a bit odd that a 'targeted user' is locked out of his account though it is not his fault but a hackers attempt.

Any serious attacker would use a botnet with 10 000 different IPs. Blocking a specific IP is not effective security.

Blocking annoying IPs that bloat your logs is something that should be done at the Apache level.

@amoun The blocking is per-user account (10 wrong passwords on a specific login). There is no blocking for non-existing accounts.

@fplanque wrote earlier:

@saunders wrote earlier:

@fplanque
Did you use the same wrong password 20 times or did you change it 20 times?
I just followed your link. With 10 different wrong passwords it blocks.

I used different Passwords and in a second test series used different usernames and different passwords, like someone "playing around" to find a working login.

@fplanque wrote earlier:

@amoun The blocking is per-user account (10 wrong passwords on a specific login). There is no blocking for non-existing accounts.

Yes that's what I was thinking.
Thanks

@saunders so the question is: are you using registered user names?

@fplanque wrote earlier:

@zebulon wrote earlier:

It is a bit odd that a 'targeted user' is locked out of his account though it is not his fault but a hackers attempt.

Any serious attacker would use a botnet with 10 000 different IPs. Blocking a specific IP is not effective security.

Blocking annoying IPs that bloat your logs is something that should be done at the Apache level.

@fplanque OK I could reproduce the break to log in after 10 times failed trials. I have chosen an existing Login-User-Name and kept the wrong passphrase fo 11 times. It also worked using different passphrases.

I tested it with a non existing User name. But it makes sense to count by user login trials than to count false login trials by IP.
So thanks for your patience in replying.

We added a man page: https://b2evolution.net/man/brute-force-password-attacks

@saunders wrote earlier:

See screenshot:

if you have .htaccess

Order Allow,deny
deny from 185.220.