Mar, 2015
Does s2Member guard against brute-force attacks by monitoring failed login attempts?
Preventing Brute-Force Attacks Before They Begin
As with any membership system, it is possible for someone to try and guess username/password combinations by attempting a Brute Force Attack; whereby multiple/repeated logins are strategically attempted with various username/password combinations until a correct guess is made. It is not likely that you'll be attacked in this way, but it's still a good idea to protect your system; just in case somebody tries this. s2Member thwarts this behavior by monitoring failed login attempts that occur within a short period of time. Whenever s2Member detects an IP address (i.e., a remote user) that is consistently failing to enter a valid username/password, a temporary ban is created; preventing additional attempts from taking place for 30 minutes (configurable). This temporary ban, will only affect the offending IP address.