Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Is it by design that UID 1 cannot be hard blocked regardless of failed login attempts? While this seems the most likely account for an attempted hack, it would also leave a site vulnerable to being crippled by a few malicious (or accidental) failed logins if this were the only privileged user of a site.
Comment | File | Size | Author |
---|---|---|---|
#3 | 1858092-3.patch | 654 bytes | divyansh |
Comments
Comment #1
deekayen CreditAttribution: deekayen commentedBumping version.
Comment #2
shrop CreditAttribution: shrop commentedI am not sure of the best approach here, but it does seem standard for systems to block any account. Ex: host deny systems for unix firewalls. Would it be possible to add documentation to explain all users can be hard blocked, recommend having alternative admin accounts (as you should anyway), and instructions to unblock via direct database manipulation if all else fails?
Comment #3
divyansh CreditAttribution: divyansh as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedHi,
I was having the same issue, so I have created this patch.