Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By paulocs on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
7.x
Introduced in version:
7.74
Issue links:
Description:
The user module now responds with a 403 "access denied" when a login attempt is blocked by flood control.
Modules now can use the new hook_user_flood_control()
to do things like send a notification when a user account is blocked because of excessive failed login attempts, or add an IP to firewall rule, for example.
By default, Drupal will now log these events with notices such as:
Flood control blocked login attempt for trillian from 12.34.12.34
Flood control blocked login attempt from 12.34.12.34
Logging can be disabled via a variable, for example in settings.php
:
/**
* Logging of user flood control events.
*
* Drupal's user module will place a temporary block on a given IP address or
* user account if there are excessive failed login attempts. By default these
* flood control events will be logged. This can be useful for identifying
* brute force login attacks. Set this variable to FALSE to disable logging, for
* example if you are using the dblog module and want to avoid database writes.
*
* @see user_login_final_validate()
* @see user_user_flood_control()
*/
# $conf['log_user_flood_control'] = FALSE;
Impacts:
Site builders, administrators, editors
Module developers
Distribution developers