Login Security module improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.

With Login Security module, a site administrator may protect and restrict access by adding access control features to the login forms (default login form in /user and the block called "login form block"). Enabling this module, a site administrator may

  • limit the number of invalid login attempts before blocking accounts,
  • or deny access by IP address, temporarily or permanently.

A set of notifications by email or Nagios may help the site administrator to know when something is happening with the login form of their site:

  • password and account guessing,
  • bruteforce login attempts or just unexpected behaviour with the login operation.

For alternative controls, Login Security can disable Drupal core's login error messages, obfuscating the reason for the login failure. This could make it harder for an attacker to discover whether the account even exists.

On login, users can optionally see their last login or access timestamp.

For a lighter alternative, check out Flood control.

Supporting organizations: 
Drupal 8 upgrade and maintenance
Drupal 7 upgrade and maintenance

Project information

  • caution Minimally maintained
    Maintainers monitor issues, but fast responses are not guaranteed.
  • caution Maintenance fixes only
    Considered feature-complete by its maintainers.
  • chart icon31,476 sites report using this module
  • shieldStable releases for this project are covered by the security advisory policy.
    Look for the shield icon below.