Preventing Brute Force Logins on Websites

Question

As a response to the recent Twitter hijackings and Jeff\'s post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks?

Answer 1

Old post but let me post what I have in this the end 2016. Hope it still could help.

It's a simple way but I think it's powerful to prevent login attack. At least I always use it on every web of mine. We don't need CAPTCHA or any other third party plugins.

When user login for the first time. We create a session like

$_SESSION['loginFail'] = 10; // any number you prefer

If login success, then we will destroy it and let user login.

unset($_SESSION['loginFail']); // put it after create login session

But if user fail, as we usually sent error message to them, at the same time we reduce the session by 1 :

$_SESSION['loginFail']-- ; // reduce 1 for every error

and if user fail 10 times, then we will direct them to other website or any web pages.

if (!isset($_SESSION['loginFail'])) { 

     if ($_SESSION['login_fail'] < 1 ) {

     header('Location:https://google.com/'); // or any web page

     exit();

}
}

By this way, user can not open or go to our login page anymore, cause it has redirected to other website.

Users has to close the browser ( to destroy session loginFail that we created), open it 'again' to see our login page 'again'.

Is it helpful?