Instructions

Add-on Details

The brute force protection add-on will give the user X amount of login attempts before they're temporarily blocked. It will prevent an attacker from trying to login hundreds of times.

How To Add

In phpMyAdmin, select the "phplogin" table and import the "login_attempts.sql" SQL file.

Edit the "main.php" file and add the following (just before the closing tag will do):

function login_attempts($pdo, $update = TRUE) {
	$ip = $_SERVER['REMOTE_ADDR'];
	$now = date('Y-m-d H:i:s');
	if ($update) {
		$stmt = $pdo->prepare('INSERT INTO login_attempts (ip_address, created) VALUES (?,?) ON DUPLICATE KEY UPDATE attempts_left = attempts_left - 1, created = VALUES(created)');
		$stmt->execute([ $ip, $now ]);
	}
	$stmt = $pdo->prepare('SELECT * FROM login_attempts WHERE ip_address = ?');
	$stmt->execute([ $ip ]);
	$login_attempts = $stmt->fetch(PDO::FETCH_ASSOC);
	if ($login_attempts) {
		// The user can try to login after 1 day... change the "+1 day" if you want to increase/decrease this date.
		$expire = date('Y-m-d H:i:s', strtotime('+1 day', strtotime($login_attempts['created'])));
		if ($now > $expire) {
			$stmt = $pdo->prepare('DELETE FROM login_attempts WHERE ip_address = ?');
			$stmt->execute([ $ip ]);
			$login_attempts = array();
		}
	}
	return $login_attempts;
}

Edit the "authenticate.php" file and find:

include 'main.php';

Add after:

$login_attempts = login_attempts($pdo, FALSE);
if ($login_attempts && $login_attempts['attempts_left'] <= 0) {
	exit('Error: You cannot login right now! Please try again later!');
}

Find:

if (!isset($_POST['username'], $_POST['password'])) {

Add after:

$login_attempts = login_attempts($pdo);

Find (should be 2 instances):

echo 'Error: Incorrect username and/or password!';

Replace all with:

$login_attempts = login_attempts($pdo, TRUE);
echo 'Error: Incorrect username and/or password! You have ' . $login_attempts['attempts_left'] . ' attempts remaining!';

Find:

echo 'redirect';

Add above:

$ip = $_SERVER['REMOTE_ADDR'];
$stmt = $pdo->prepare('DELETE FROM login_attempts WHERE ip_address = ?');
$stmt->execute([ $ip ]);

Note: If you would like to change the number of attempts, you just need to change the default value for the "attempts_left" column in the "login_attempts" table.