Manual:$wgPasswordAttemptThrottle
From mediawiki.org
Languages:
| User rights, access control and monitoring: $wgPasswordAttemptThrottle | |
|---|---|
| Limit password attempts per IP per address. |
|
| Introduced in version: | 1.14.0 (r38886)(git #6fcfa981) |
| Removed in version: | Still in use |
| Allowed values: | (array) |
| Default value: | see below |
| Other settings: Alphabetical | By function | |
Details
[edit ]Limit password attempts to count attempts per seconds per IP per username.
$wgMainCacheType must be set to something other than CACHE_NONE for this setting to work.
When the throttle is hit, the AuthenticationAttemptThrottled hook gets called.
To disable, put the following in LocalSettings.php:
$wgPasswordAttemptThrottle = [];
MediaWiki version:
≥ 1.27
Multiple thresholds can be added. They will all be tested separately.
Default value
[edit ] MediaWiki version:
≥ 1.27
$wgPasswordAttemptThrottle = [ // Short term limit. [ 'count' => 5, 'seconds' => 300 ], // Long term limit. // We need to balance the risk of somebody using this as a DoS attack to lock someone out of their account, and someone doing a brute force attack. [ 'count' => 150, 'seconds' => 60 * 60 * 48 ], ];
MediaWiki versions:
1.14 – 1.26
/** * Limit password attempts to X attempts per Y seconds per IP per account. * * @warning Requires memcached. */ $wgPasswordAttemptThrottle = array( 'count' => 5, 'seconds' => 300 );