Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.A brute-force attack is an attempt to gain unauthorized access to a website by continually generating and inputting various combinations of a password. This task is usually done by automation software (a "bot") which looks for success or failure messages and keeps trying new passwords until it gets a success message.
Some brute force attacks are based on commonly used usernames. Others are based on identifying the username from one of several methods.
Drupal core version 6.x and below have limited protection against "Brute Force Attacks" on usernames and passwords. Most failed login attempts are logged to the "watchdog" unless they are done via an xmlrpc.php request like the blogapi or some other external login mechanism. You can protect against brute force attacks on your site by using a module like Login Security.
Drupal core versions 7.x & 8.x include flood control variables that limit logins by a single IP (default: 50 failed attempts allowed in one hour) and to a single account (default: 5 failed attempts every 6 hours). These variables are not accessible with the Drupal core administration pages, but the Flood control module adds an interface to change them.
