The user module now responds with a 403 "access denied" when a login attempt is blocked by flood control.

Modules now can use the new hook_user_flood_control() to do things like send a notification when a user account is blocked because of excessive failed login attempts, or add an IP to firewall rule, for example.

If there are excessive failed login attempts, the offending IP address or user account will be temporarily blocked. To help identify brute force login attacks, by default Backdrop will now log these events with notices such as:

Flood control blocked login attempt for UserName from

Flood control blocked login attempt from

You may want to disable logging these events if, for example, you are using the dblog module and want to avoid database writes. You can control this behavior via the following two options:

  • a "Log excessive failed login attempts" checkbox in the admin interface, under Configuration → User accounts → Login settings (/admin/config/people/login)
  • overriding that setting in settings.php, by setting flood_log_failed_attempts to 1 (on), or 0 (off).
* Logging of user flood control events.
* @see user_login_final_validate()
* @see user_user_flood_control()
//$config['user.flood']['flood_log_failed_attempts'] = 0;
Introduced in branch: 
Introduced in version: 
Architects, Administrators, Editors
Module developers