Update Mar 17, 2016: The final version of the 1&1 Brute Force Protection plugin is available now. It includes some minor updates to the Release Candidate and will be part of Joomla! 3.5 package for all 1&1 customers. If you have a self maintained Joomla! installation, you can download the plugin right here:
Update Jan 15, 2016: We did some additional code tweaking and are happy to announce, that the 1&1 Brute Force Protection plugin Release Candidate is now available to download. We look forward to your feedback.
- Small improvements and bugfixes
The 1&1 Brute Force Protection plugin stops brute force login attempts on the login form in the Joomla! backend, providing an additional layer of security for your website.
After a set number of login attempts a small captcha with an arithmetic task has to be solved successfully to get access, even if the credentials are entered correctly.
After another set number of failed login attempts with the captcha, the access to the backend is blocked completely for a specified grace time for the requesting IP address.
The locked IP addresses are stored permanently as small files in a protected locked folder. Once the grace time of a file has expired, the outdated file is removed automatically from the folder.
Beta 2: Thanks to a user we found a bug with IPv6. This should now be fixed. Feel free to test the Beta 2 of our Brute Force Protection Plugin.
Beta 3: We improved our plugin by adding another option in the setting section of the plugin. Now the user can decide whether the plugin should check for the X-Forwarded-IP in the header response or take the direct IP address. Please test the new Beta 3 and give us feedback here in the comment section.
Installing the plugin
We recommend the 1&1 Brute Force Protection for all Joomla! websites. Installation only takes a few seconds and it is absolutely easy to setup and requires no additional work from your users.
- Download the 1&1 Brute Force Protection plugin.
- Login to your Joomla! admin panel.
- In the Joomla! main menu select Extensions > Manage.
- Select the downloaded plugin package and then click Upload & Install.
Activating the plugin and customizing the settings
- In the Joomla! main menu select Extensions > Plugins.
- Search for brute force protection, then click on System – Brute Force Protection in the search results.
- To activate the Plugin, in the settings widget on the right, change status from Disabled to Enabled.
You can customize the number of login attempts and the grace time in the Joomla! admin panel.
- Login Attempts – Normal: How many normal login attempts are allowed, before the user must solve the Captcha task.
- Login Attempts – Captcha: How many login attempts with a captcha (arithmetic task) are allowed.
- Grace Time in Seconds: How long should an IP address be blocked from other attempts in seconds.
- Save your changes!
Use two-factor authentication for additional security
If you want to take the security of your website one step further, we recommend enabling two-factor authentication for your website. Since version 3.2, Joomla! supports two-factor authentication via Google Authenticator und Yubikey out of the box.
You can enable two factor authentication for each user account individually. So, if you want to limit two-factor authentication to admin accounts and offer standard user accounts a more convenient login, you can do this as well.