Flood Control
The Flood Control module, installed by the Varbase Security Base recipe, provides a user interface for configuring Drupal's built-in flood protection system. Flood control limits the number of times a particular action can be performed within a given time period, protecting against brute-force attacks on login forms, contact form spam, and other abuse scenarios.
Accessing Flood Control Configuration
Navigate to Configuration > System > Flood control, or go to:
/admin/config/system/flood-controlLogin Flood Control
Drupal includes built-in flood control for the login form that limits failed login attempts. The Flood Control module provides a UI to configure these limits.
IP-Based Limiting
Limits the total number of failed login attempts from a single IP address, regardless of which username is used.
Limit: Maximum number of failed attempts allowed within the window (default: 50).
Window: Time period in seconds during which the limit applies (default: 3600 seconds / 1 hour).
User-Based Limiting
Limits the number of failed login attempts for a specific user account, regardless of the IP address.
Limit: Maximum number of failed attempts allowed within the window (default: 5).
Window: Time period in seconds during which the limit applies (default: 21600 seconds / 6 hours).
Contact Form Flood Control
Flood control can also be applied to the contact form to prevent abuse:
Limit: Maximum number of contact form submissions from a single user or IP within the window.
Window: Time period in seconds during which the limit applies.
Configuring Flood Control Settings
Navigate to Configuration > System > Flood control.
Adjust the Login settings:
Set the IP-based limit and window.
Set the user-based limit and window.
Adjust the Contact form settings if applicable.
Save the configuration.
What Happens When the Limit Is Reached
When a user or IP address exceeds the flood control limit:
Login form: The user receives an error message indicating that too many failed login attempts have been made and they must wait before trying again. The specific duration depends on the configured window.
Contact form: The user receives an error message indicating that they have sent too many messages and must wait before submitting again.
Clearing Flood Records
If a legitimate user is locked out due to flood control, an administrator can clear the flood records:
Navigate to Configuration > System > Flood control.
Use the Clear flood functionality to remove flood records for a specific IP address or user.
Alternatively, flood records can be cleared from the database directly using Drush:
Clearing all flood records removes protection temporarily. Only clear records for specific users or IPs when necessary, and investigate why the limit was reached before clearing.
Recommended Settings
For most Varbase sites, the following settings provide a good balance between security and usability:
IP-based login limit
50 attempts
IP-based login window
3600 seconds (1 hour)
User-based login limit
5 attempts
User-based login window
21600 seconds (6 hours)
Contact form limit
5 submissions
Contact form window
3600 seconds (1 hour)
Last updated