Magebean Logo Magebean
← Back to Baseline

MB-R011Login rate-limit

C02 Admin Hardening Medium

Implement rate-limiting or CAPTCHA to prevent unlimited login attempts on the admin panel. Brute-force and credential stuffing are common attack vectors. Throttling login attempts helps slow automated attacks and improves defense-in-depth when combined with strong credentials.

Why it Matters

Without rate-limiting, attackers can try thousands of username and password combinations on the admin login page without being slowed down. This makes brute force and credential stuffing attacks much more likely to succeed, especially if users reuse weak passwords.

Adding limits on failed login attempts, or using CAPTCHA after a few failures, makes automated attacks far less effective. Slowing down attackers gives defenders more time to detect the attack and reduces the risk of account compromise.

Verification Steps

Manual

# Try multiple failed login attempts
# After a set number (e.g., 5), the system should:
# - Show CAPTCHA, OR
# - Block the IP temporarily, OR
# - Lock the account for a short period

Remediation / Fix Guidance

  1. Enable login throttling or CAPTCHA for the admin panel.
  2. Set a maximum number of failed attempts before delay, lock, or challenge.
  3. Consider IP-based blocking or integrating with a WAF for extra protection.
  4. Monitor failed login events and alert on suspicious spikes.

Examples

Fail Example
# No limits in place
Attacker can send 10,000 login attempts without delay
Pass Example
# Limits enforced
After 5 failed attempts:
- CAPTCHA required
- Or IP blocked for 15 minutes

References