Max login IPs per hour

Auto-ban an account that succeeds from this many distinct IPs in one hour.

Settingmax_login_ips_h

Max login IPs per hour

Auto-ban an account that logs in successfully from this many distinct IPs within one hour.

Where to find it

Admin → Settings → Settings (first tab) → Captcha & abuse → Max login IPs per hour

Setting key: max_login_ips_h

Empty = off. When set, minimum is typically 2.

How it works

Fires on successful password login (before the session fully settles), not on failed attempts. Catches credential stuffing from many places. Travelers, mobile networks, and VPNs can trip a very low number.

This is not the same as Max login attempts per hour (IP ban on failures).

Common problems

Traveling users get banned

Raise the threshold, or clear the user ban and explain VPN/mobile IP changes.

Related