MyBB Community Forums

Full Version: Too many login attempts
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
It seems that most of the users on my forum:

get a message (too many login attempts - wait 10 minutes) when they try to login.

I have checked - and not changed cookie settings and it looks like a bot tries to login with pretty much all existing users accounts.

In the user list many of the users Last Login is the exact same time and they actually wasnt logged in according to themselves, which might indicate that some of the accounts has been compromised. They will get a new password.

But the rest of the users cant log in because of too many attempts probably caused by a bot trying to access.

Is there anything I can do?
Track the login IPs which are of similar timed login for multiple users. If its a single common IP trying to login all accounts - ban the IP.
Thanks - but there are no two identical IP's. They are all different.
You might set the minimum password length to be longer. Besides preventing compromised accounts, it should make the board less attractive to the bot runner.

Of course, you can adjust the the max failed logins and time to delay as well. I would be careful not to make these too relaxed unless you have already required long and/or complex passwords.
Reducing attempts to 3-4 and increasing the timeout limit to more than 60 minutes may help.