Add blocking mode where only login attempts are disabled

[LuxLOL]

Hi,
I like the plugin but the blocking option is a bit exaggerated by banning a user from the whole website only because he tipped in the wrong password to many times.
If every website would do this then I would be banned from half of the internet. :D

The right way would be to block any login attempts from a banned IP like the outdate "Limit Login Attempts" plugin dose it.

[codeling]

Thanks for the input! I haven't given this much thought, and might consider to in some future version of bfstop adding an option for only disabling login for some time.
My basic opinion on this is that on a typical system, "normal" users can be given plenty of warnings and hints to instead of trying multiple times to use the "password reset" functionality. And for actual attackers, it makes sense to block everything, because it decreases the demand on the server if it can stop to process the request at a very early stage.

[LuxLOL]

Don't forget that normal Users will care as much about the website warring as they care about the Cookie popups. :D And they will for sure not expect to be banned for the whole website.

[codeling]

Don't forget that normal Users will care as much about the website warring as they care about the Cookie popups.

True. As I said, I'll consider to add it for a next version; I'll have to think about the exact implementation and whether I'll make it default or not...

[SactoBob]

I agree with this enhancement. I've had large offices that are behind a NAT have one user fail a login and then the entire site is offline for 50+ other users. It happens so often, so yes, I've whitelisted the IP. But it changes regularly, about every 3 months, so keeps coming back. Block the login page and it would be nice with an explanation, but not the entire website via .htaccess/etc.

[codeling]

The best idea would probably to have an alternate mode in which the login form is completely disabled for a blocked user. This would however require a much more involved interaction with the joomla core.

Thanks for providing a reference with the Limit Login Attempts, I will check if this plugin has code I can use for this. (Edit: I have been unable to download the extension, the google captcha there just "keeps spinning", do you maybe have a copy of it available @LuxLOL?) Considering that this plugin hasn't been updated in 8 years, and that I don't really have time at the moment, this could take a while though!

[LuxLOL]

The best idea would probably to have an alternate mode in which the login form is completely disabled for a blocked user. This would however require a much more involved interaction with the joomla core.

Thanks for providing a reference with the Limit Login Attempts, I will check if this plugin has code I can use for this. (Edit: I have been unable to download the extension, the google captcha there just "keeps spinning", do you maybe have a copy of it available @LuxLOL?) Considering that this plugin hasn't been updated in 8 years, and that I don't really have time at the moment, this could take a while though!

Disabling the Login plugin would probably not be a good idea. Because if someone is trolling someone else's account the legitim user won't know why the Login has disappeared.

It's a bit astonishing that these big CMS's don't have any Brute-force protection built-in. -_-

[b1r63r]

couldn't the plugin hook into onUserAuthenticate to just fail the joomla authentication process when the source IP is blocked?

We have a load of older members who quite often manage to get blocked, and I would like to still have then get access to the public info on our web site and the contact form.