—

Why it Matters

Without rate-limiting, attackers can try thousands of username and password combinations on the admin login page without being slowed down. This makes brute force and credential stuffing attacks much more likely to succeed, especially if users reuse weak passwords.

Adding limits on failed login attempts, or using CAPTCHA after a few failures, makes automated attacks far less effective. Slowing down attackers gives defenders more time to detect the attack and reduces the risk of account compromise.

Verification Steps

# Try multiple failed login attempts
# After a set number (e.g., 5), the system should:
# - Show CAPTCHA, OR
# - Block the IP temporarily, OR
# - Lock the account for a short period

Remediation / Fix Guidance

1. Enable login throttling or CAPTCHA for the admin panel.
2. Set a maximum number of failed attempts before delay, lock, or challenge.
3. Consider IP-based blocking or integrating with a WAF for extra protection.
4. Monitor failed login events and alert on suspicious spikes.

Examples

# No limits in place
Attacker can send 10,000 login attempts without delay

# Limits enforced
After 5 failed attempts:
- CAPTCHA required
- Or IP blocked for 15 minutes

References

• OWASP Top 10 — A07: Identification and Authentication Failures
• OWASP — Blocking Brute Force Attacks