Developer forum

Forum » CMS - Standard features » Admin prevent brute force attack

Admin prevent brute force attack

Anders Ebdrup
Anders Ebdrup
Reply

Hi Dynamicweb,

 

How do I setup prevention of brute force attack for the administration? It seems like we have no limits to set for wrong combination of username and password.

 

Best regards, Anders


Replies

 
Nicolai Pedersen
Reply

We do not have such a feature... We probably should. TFS#41492

 
John Higginbotham
Reply

Hi Nicolai,

Can I +1 this please? All DW sites are at risk of brute force attack without this functionality. Our users (despite numerous warnings) create weak username and password combinations because they're easy to remember. Grrrrrrrr.....

Clearly, if somebody were to gain unauthorised access to the admin, then they have the ability to do anything they want to, upload files to the local file system, query the DW database, insert scripts to skim credit card details and form posts, etc, Gulp.

John

 
 
Nicolai Pedersen
Reply

Hi John

You can setup password policies for the backend: https://doc.dynamicweb.com/documentation-9/platform/advanced-settings/control-panel#2541

Dynamicweb 9.5 has brute force prevention as well. If you post too many times, the admin locks, you get banned if you try to do SQL injection and there is CSRF checks as well.

Next on this matter will be 2-factor authentication for devices that you have not logged in with before.

BR Nicolai

 
Andrew Bates
Reply

Hi Nicolai,

Can you set up brute force prevention for the admin area of dynamicweb? as far as i can see i can only set up login limitaions for the extranet users, not the admin area.

AB

 

You must be logged in to post in the forum