Block request for multiple unsuccessful logins for a period of time

Question

I have a web site and I want to block request from BOTs and attempt brute force login to my web site.

Now I\'m using Session for storing lo

Answer 1

only thing that I'd like to add that others haven't is that where possible, you don't want to alert bots to the fact that they've been detected. if you block them with some message, then they will just make note of what they did to be detected and adjust. if you're "noticing" them by ip for example, just don't allow the password that they're entering to ever succeed. they will be fooled into thinking that you have some complicated passwords etc, and go elsewhere, without ever knowing for sure that you noticed them.

I would also suggest storing the "attempts" in a database with ip. you can then easily go back and review attempts that have been made against your site. you could query the web logs, but that's more painful. I also log successful logins so I can notice when bots do get in to go back and apply further research.