Best brute force protection in PHP


I’m adding brute force protection to a website and was trying to decide on the best way. Realistically, blocking the IP for 30 mins may not be the way as the system is for an entire office and they would all be blocked.

As an alternative, I was thinking of locking a particular account following 3 failed login attempts.

Would this be effective? My thinking is a dictionary attack my stumble upon a correct username, but the likelihood of the correct password being found in 3 attempts is slim to say the least.

Has anyone had much experience with this, or could recommend a better option?


Alternatively I could add reCaptcha to the form after 3 unsuccessful attempts? This wouldn’t bother the office so much.

So is this a publicly available website which has a password protected admin area, or is this on an intranet?

It was intranet, but it has been asked to be put online so it can be accessed elsewhere, but it is for company employees only.

If your company is relying on PHP to secure their systems, they need help. VPN would be a better solution…
that said;

A combination of systems may be better - use a blacklist for IP’s (accompanied by a whitelist of ‘do not block’ for the company’s internal IP’s) based on account-name-guessing (along with an alarm system), and a lockdown on a given account failing the password check X times.

Cant hurt to have two layers of protection if you’re going to open your company’s data.

Will you be asked to make access amenable to those logging in via mobile devices?

May be I am thinking all wrong, but sending a cookie to the offending m/c will let you identify that fellow( and stop him or whatever) even if they are using same IP.
Blocking usernames(after 3 attempts) does not seem like appropriate solution. As the offender will have the power to deliberately try other people IDs and lock them.

Thanks for the replies. I didn’t build the systems but they have been designed for online usage so the company can take an iPad to a meeting with a client and access all info there. I found a ridiculous level of security, passwords weren’t even encrypted and file uploads were online, so navigating to them would give you access.
So far I’ve encrypted passwords and made all files upload outside the htdocs directory and a force download for them if the user is logged in. Then I added brute force to block an ip for 30 mins after 3 failed attempts. VPN is required to use FTP or MySQL (or root access to server). Still plenty to do before I let it go live I think.
I think the white/blacklist is a good idea and alarm system, probably built into the brute force system. I would personally prefer it to be hosted on their local servers and accessed via remote access when out and about. Oh and SSL is a big yes. No skimping there.
I think forcing a password change every 30 days is a requirement too.

In terms of the user being logged in, I remember years ago there was a way of “stealing” a user’s session using a gif file? I think I got round it with


It was many years ago so I’m not sure how good this would be now.

A few things to get though yet.