stop brute force attacks php omniceps

In this post we are going to describe how you can stop brute force attacks by using a simple throttling script in PHP. The class is self-descriptive. But still just to understand better we will describe what it doesn and how you can achieve the same.

What is Brute Force:

Suppose you have a login service on your website which can be used by users to login. But hackers will try to log into accounts of other users to gain personal information. Or the hackes might try to gain access to administrator panel and thereby compromising all sensitive data. For this hackers generally write scripts which execute automatically and try to enter a different username and password combination.

For some admin panels users always choose username as admin or administrator (which is already a bad practice). So 1 our of 2 things is already available to the attacker/spammer. Now he just need to try different passwords combination in order to gain access.

Brute Force also makes serving speed slow:

As the attacker is making 100s of requests per second this also impacts your overall web server speed. So your database might get locked or can get freezed due to so many simultaneous requests.

What is Throttling:

Throttling is a technique where you limit the usage of resource depending on few conditions. For example, if you have ever visited a banking website and tried to login, you will be blocked to attempt login after you have made 3 simultaneous wrong login attempts. This is done in order to stop brute force. The conditions of throttling may vary depending on the application’s requirement. To learn more about throttling follow here ->

Benefits of Throttling:

Throttling saves your web server’s precious resorces like bandwidth, memory and cpu usage.
It helps you safegaurd your application from potential hackers and spammers. To learn more about php click here ->

Usage of script below:

Below script usage will allow you to stop brute force attacks on any of you resources.

Full Code Below:

  • jminkler

    This will do nothing, except make you feel safe, and then cry when you get DDOSd from multiple IP’s

    • Omniceps

      @jminkler:disqus please elaborate more so that our readers can understand what exactly you mean. If you want you can send us more information on, and we will update this post.

      • jminkler

        This is a software fix, which never works. All it does is add more processing on each request. The code above segments all the traffic to individual users, and therefore only stops attacks that are not distributed (multiple ip addresses). Engineering a multiple IP attack is trivial these days, and commonplace. Ie. this is a waste of code, and processing time. Best defense is a hardware or server-side solution, not in the application layer.