All Features
Security
UI/UX
System
Content
Business
Marketing
🛡️
Security

Login Security

Admin Settings

Brute-force protection with intelligent account lockout

Overview

Protects user accounts from brute-force attacks by tracking failed login attempts and implementing temporary lockouts. Configurable thresholds with admin override capabilities.

Design Considerations

UX patterns and visual design notes for this feature:

  • Warning messages before lockout build trust
  • Countdown timers reduce support tickets
  • Clear lockout in admin panel - power with responsibility
  • Don't reveal if username exists (security vs UX tradeoff)

Key Benefits

What makes this feature stand out:

  • Automatic brute-force protection
  • Configurable attempt limits
  • IP and username-based tracking
  • Admin can clear lockouts instantly
Technical Note

LoginSecurityHelper tracks attempts by username. Uses cache for fast lookups. Threshold configurable in params['loginSecurity']['maxAttempts'].

Helpers
LoginSecurityHelper
Models
LoginForm
Database Tables
user

Configuration

Config Relationship Legend
DB overrides params.php🔗 DB related setting📋 DB stores value only
params.php Configuration

Config path: params['loginSecurity']

params['loginSecurity']['enabled'] => trueparams['loginSecurity']['maxAttempts'] => 5params['loginSecurity']['lockoutDuration'] => 900params['loginSecurity']['warningThreshold'] => 3params['loginSecurity']['trackByIp'] => false
Database Settings (system_setting table)
KeyTypeDescriptionRelation
max_login_attemptsnumberMax failed attempts before lockout🔗
login_lockout_minutesnumberLockout duration in minutes🔗
🔐 Authentication & RBACAdmin SettingsOAuth Social Login 🔑