Max login attempts per hour

Auto-ban the client IP after this many failed logins per hour. Empty disables. Separate from captcha.

Settingmax_login_attempts_h

Max login attempts per hour

Auto-ban the client IP after this many failed logins in one hour (password spraying defense).

Where to find it

Admin → Settings → Settings (first tab) → Captcha & abuse → Max login attempts per hour

Setting key: max_login_attempts_h

Empty = off. When set, minimum is typically 2.

How it works

Counts failed attempts from an IP (known and unknown usernames). Separate from Captcha on login — captcha challenges; this bans the IP.

Manage bans under Admin → Users → bans / banned IPs.

Common problems

Office / NAT users lock each other out

Many people share one public IP. Raise the number or clear bans when support spikes.

You banned yourself

Use another network, or remove the ban from an already-logged-in admin session / server access.

Related