|User rights, access control and monitoring: $wgPasswordAttemptThrottle|
|Limit password attempts per IP per address.
|Introduced in version:||1.14.0 (r38886)(git #6fcfa981)|
|Removed in version:||still in use|
|Default value:||see below|
|Other settings: Alphabetical | By function|
Limit password attempts to count attempts per seconds per IP per username.
$wgMainCacheType must be set to something other than
CACHE_NONE for this setting to work.
To disable, put the following in LocalSettings.php:
$wgPasswordAttemptThrottle = false;
Multiple thresholds can be added. They will all be tested separately.
/** * Limit password attempts to X attempts per Y seconds per IP per account. * * Value is an array of arrays. Each sub-array must have a key for count * (ie count of how many attempts before throttle) and a key for seconds. * If the key 'allIPs' (case sensitive) is present, then the limit is * just per account instead of per IP per account. * * @since 1.27 allIps support and multiple limits added in 1.27. Prior * to 1.27 this only supported having a single throttle. * @warning Requires $wgMainCacheType to be enabled */ $wgPasswordAttemptThrottle = [ // Short term limit [ 'count' => 5, 'seconds' => 300 ], // Long term limit. We need to balance the risk // of somebody using this as a DoS attack to lock someone // out of their account, and someone doing a brute force attack. [ 'count' => 150, 'seconds' => 60 * 60 * 48 ], ];
1.14 – 1.26
/** * Limit password attempts to X attempts per Y seconds per IP per account. * * @warning Requires memcached. */ $wgPasswordAttemptThrottle = array( 'count' => 5, 'seconds' => 300 );