Change record status: 
Project: 
Introduced in branch: 
7.x
Introduced in version: 
7.74
Description: 

The user module now responds with a 403 "access denied" when a login attempt is blocked by flood control.

Modules now can use the new hook_user_flood_control() to do things like send a notification when a user account is blocked because of excessive failed login attempts, or add an IP to firewall rule, for example.

By default, Drupal will now log these events with notices such as:

Flood control blocked login attempt for trillian from 12.34.12.34

Flood control blocked login attempt from 12.34.12.34

Logging can be disabled via a variable, for example in settings.php:

/**
 * Logging of user flood control events.
 *
 * Drupal's user module will place a temporary block on a given IP address or
 * user account if there are excessive failed login attempts. By default these
 * flood control events will be logged. This can be useful for identifying
 * brute force login attacks. Set this variable to FALSE to disable logging, for
 * example if you are using the dblog module and want to avoid database writes.
 *
 * @see user_login_final_validate()
 * @see user_user_flood_control()
 */
# $conf['log_user_flood_control'] = FALSE;
Impacts: 
Site builders, administrators, editors
Module developers
Distribution developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done