diff --git a/core/modules/basic_auth/basic_auth.services.yml b/core/modules/basic_auth/basic_auth.services.yml
index 13a6cb1..08241c7 100644
--- a/core/modules/basic_auth/basic_auth.services.yml
+++ b/core/modules/basic_auth/basic_auth.services.yml
@@ -1,6 +1,6 @@
 services:
   authentication.basic_auth:
     class: Drupal\basic_auth\Authentication\Provider\BasicAuth
-    arguments: ['@config.factory']
+    arguments: ['@config.factory', '@flood']
     tags:
       - { name: authentication_provider, priority: 100 }
diff --git a/core/modules/basic_auth/lib/Drupal/basic_auth/Authentication/Provider/BasicAuth.php b/core/modules/basic_auth/lib/Drupal/basic_auth/Authentication/Provider/BasicAuth.php
index 573da4c..59dcd2f 100644
--- a/core/modules/basic_auth/lib/Drupal/basic_auth/Authentication/Provider/BasicAuth.php
+++ b/core/modules/basic_auth/lib/Drupal/basic_auth/Authentication/Provider/BasicAuth.php
@@ -11,6 +11,8 @@
 use Drupal\Core\Authentication\AuthenticationProviderInterface;
 use Drupal\Core\Config\Config;
 use Drupal\Core\Config\ConfigFactory;
+use Drupal\Core\Flood\FloodInterface;
+use Drupal\user\UserStorageControllerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
@@ -29,13 +31,31 @@ class BasicAuth implements AuthenticationProviderInterface {
   protected $configFactory;
 
   /**
+   * The flood service.
+   *
+   * @var \Drupal\Core\Flood\FloodInterface
+   */
+  protected $flood;
+
+  /**
+   * The user storage controller.
+   *
+   * @var \Drupal\user\UserStorageControllerInterface
+   */
+  protected $userStorage;
+
+  /**
    * Constructs a HTTP basic authentication provider object.
    *
    * @param \Drupal\Core\Config\ConfigFactory $config_factory
    *   The config factory.
+   * @param \Drupal\Core\Flood\FloodInterface $flood
+   *   The flood service.
    */
-  public function __construct(ConfigFactory $config_factory) {
+  public function __construct(ConfigFactory $config_factory, FloodInterface $flood) {
     $this->configFactory = $config_factory;
+    $this->flood = $flood;
+    $this->userStorage = \Drupal::service('entity.manager')->getStorageController('user');
   }
 
   /**
@@ -51,12 +71,47 @@ public function applies(Request $request) {
    * {@inheritdoc}
    */
   public function authenticate(Request $request) {
+    $flood_config = $this->configFactory->get('user.flood');
     $username = $request->headers->get('PHP_AUTH_USER');
     $password = $request->headers->get('PHP_AUTH_PW');
-    $uid = user_authenticate($username, $password);
-    if ($uid) {
-      return user_load($uid);
+    // Do not allow any login from the current user's IP if the limit has been
+    // reached. Default is 50 failed attempts allowed in one hour. This is
+    // independent of the per-user limit to catch attempts from one IP to log
+    // in to many different user accounts.  We have a reasonably high limit
+    // since there may be only one apparent IP for all users at an institution.
+    if ($this->flood->isAllowed('user.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
+      $accounts = $this->userStorage->loadByProperties(array('name' => $username, 'status' => 1));
+      $account = reset($accounts);
+      if ($account) {
+        if ($flood_config->get('uid_only')) {
+          // Register flood events based on the uid only, so they apply for any
+          // IP address. This is the most secure option.
+          $identifier = $account->id();
+        }
+        else {
+          // The default identifier is a combination of uid and IP address. This
+          // is less secure but more resistant to denial-of-service attacks that
+          // could lock out all users with public user names.
+          $identifier = $account->id() . '-' . $request->getClientIP();
+        }
+        // Don't allow login if the limit for this user has been reached.
+        // Default is to allow 5 failed attempts every 6 hours.
+        if ($this->flood->isAllowed('user.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
+          $uid = user_authenticate($username, $password);
+          if ($uid) {
+            $this->flood->clear('user.failed_login_user', $identifier);
+            $account = user_load($uid);
+            return $account;
+          }
+          else {
+            // Register a per-user failed login event.
+            $this->flood->register('user.failed_login_user', $flood_config->get('user_window'), $identifier);
+          }
+        }
+      }
     }
+    // Always register an IP-based failed login event.
+    $this->flood->register('user.failed_login_ip', $flood_config->get('ip_window'));
     return NULL;
   }
 
@@ -83,4 +138,5 @@ public function handleException(GetResponseForExceptionEvent $event) {
     }
     return FALSE;
   }
+
 }
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
old mode 100644
new mode 100755