Last updated March 31, 2015. Created on January 11, 2011.
Edited by klidifia, winzig45, stpaultim, Matt V.. Log in to edit this page.

Drupal 7 prevents brute force attacks on accounts. It blocks login by a user that has more than 5 failed login attempts (within six hours) or an IP address that has more than 50 failed login attempts (within one hour).

The amount of failed logins is recorded in the table 'flood'. You can either wait before trying to login again (6 hours) or clean the flood table with the procedure below.

If you forgot your password, generate a new password and update the database.

Execute the following query on the Drupal database:

DELETE FROM `flood`;

If command above doesn't work try this:

TRUNCATE flood RESTART IDENTITY;

To execute this query it will be necessary to login to the database. This is typically done through the command line or through a GUI interface such as phpMyAdmin. If Drush is installed on your server, the drush sql-cli command provides quick access to an SQL command-line interface.

From the command line, with Drush installed:

drush php-eval 'db_query("DELETE FROM `flood`");'

NOTE: The query above will delete ALL entries in the flood table. If you want to remove only a specific user's entries from the flood table, the following is more specific.

DELETE FROM flood WHERE event = 'failed_login_attempt_user' AND identifier LIKE '1234-%';
(where 1234 is the UID of the blocked user)

This is a workaround to a problem. The problem is detailed here: https://www.drupal.org/node/992540

Related questions

  • How do I remove flood events from particular identifiers?
  • How do I configure the new Drupal 7 flood control settings?

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

Cyberwolf’s picture

You can also use the sqlq command:

drush sqlq "DELETE FROM flood"
lukus’s picture

How long do users need to wait?

azarzag’s picture

The default value seems to be 1 hour. You can use this module to play around with some settings related to flood control

johanneshahn’s picture

hi,
i think thats bad for admins to wait one or two hours.

FiNeX’s picture

Currently the default settings of user_failed_login_user_window is 21600 seconds (6 hours).

BruceGoodwin’s picture

This worked perfect for me. It took longer to log on the server then clearing the flood table. Thanks!

Sanjay Chauhan’s picture

It really work just follow:

Empty flood table via PHPMyAdmin or MySQL cli:
DELETE FROM `flood`;.

stpaultim’s picture

I would like some clarification on whether or not the "flood protection" discussed here is intended to be targeted at specific users/ip addresses or if it is supposed to prevent anyone from logging into the site - once it has been triggered.

I just had a site where all users were being blocked from logging in, even on the first try. Clearing the "flood table" seems to have resolved it.

Is this the way it is supposed to work?

(UPDATE): Turns out that Pantheon had an issue with the way it's servers we set-up that made it appear as if all logins were coming from the same IP address. This resulted in Drupal counting all failed logins together and then once the threshold was reached, blocking all users.

I got this advice from a trusted Drupal guru: "I would check to make sure there isn't something odd in your server config. I know sometimes if you use a proxy all the requests come from the same IP."

magendiran’s picture

It's worked for me...

DarrellDuane’s picture

Check out this new module that helps with this:

https://www.drupal.org/project/flood_unblock

also this is a module that allows you to manage the settings:

https://www.drupal.org/project/flood_control

Darrell Duane
d@duane.com

qqboy’s picture

drush eval "db_delete('flood')->execute();"
but cautious.

thank you.