Limit allowed attempts for logins in TYPO3 v11

Benni Mack

Flexible login restrictions

TYPO3 v11 ships with a new feature called "Rate Limiting". This is useful wherever you want to prevent excessive use or maintain availability of a service—and it really shines when used to restrict login attempts to the TYPO3 backend. Previous TYPO3 versions had a hard "let's wait 5 seconds" limit before you could attempt to log in again after entering an incorrect username or password.

This was not only inconvenient if you had a simple typo in your username (five seconds is a long time to wait!), but it actively blocked the server for five seconds. Malicious people could exploit this window to attempt a Denial-of-Service attack (hopefully you have a Web Application Firewall in place for such things!).

We are happy to say that this behavior is now in the past. TYPO3 v11's Rate Limiting is based on Symfony's Rate Limiter component, and by default it only allows five failed login attempts from the same IP address within a 15 minute period. This means if your user simply hits the wrong key when typing in their password, they can fix it straight away and get on with their work. It also means you can be confident in the default security settings of your system.

How do you know if you're running with TYPO3 v11? Just try to log in with the wrong username. The Rate Limiting feature will show you the error message for a failed login.

Configuration

As you’ve come to expect with TYPO3, everything is configurable. Site Administrators can modify the default values for the number of login attempts.

As a system maintainer, use the "Admin Tools -> Settings" module, select "Configure Installation-Wide Options" and search for "Rate Limit".

* [BE][loginRateLimit] = 5

Maximum amount of login attempts for the time interval in [BE][loginRateLimitInterval], before further login requests will be denied. Setting this value to "0" will disable login rate limiting.

* [BE][loginRateLimitInterval] = 15 minutes

Allowed time interval for the configured rate limit. Individual values using PHP-relative formats can be set in AdditionalConfiguration.php.

* [BE][loginRateLimitIpExcludeList]

A list of IP addresses that are excluded from the rate limiting feature. This is very useful for IP addresses coming from an internal network from a company or organization.

You can customize these settings in your installation’s `LocalConfiguration.php` file as well, to have everything configured in deployable setups.

Find out more

For a deep dive into how this feature works, check out the Rate limiting for failed logins documentation. 

But that’s not all! Developers can make use of TYPO3’s rate limiting API to implement rate limiting in lots of other places in their TYPO3 setup. Talk to us about opportunities to introduce rate limiting on your TYPO3 installation.

Pro Tip: Be sure to check out even more security measures in TYPO3 v11, such as the brand new built-in Multi Factor Authentication process!

We’re here to offer professional support with your upgrades to TYPO3 v11, or any topics regarding your TYPO3 projects.

Let's connect