This package is abandoned and no longer maintained. No replacement package was suggested.

Brute Force authentication protection.

dev-master 2016-05-10 07:23 UTC

This package is not auto-updated.

Last update: 2022-04-30 05:39:58 UTC


Automatic brute force attack prevention module for use within Zend Framework 2. Stores all failed login attempts site-wide in a database and compares the number of recent failed attempts against a set threshold. Responds with time delay between login requests.

Implementation by Team CODIFIC • We code terrific.

Inspired by the work of Evan Francis, Inspired by the Angular JS implementation,

MIT License


All failed attempts are stored in a database table. The brute force protection works based on an IP. A predefined threshold configuration dictates the delay after a certain number of failed attempts. After a certain period (e.g., 10min) the failed attempts expire. Targetted denial of service attacks are still possible to a certain extent if the attacker has the same IP address as a legitimate user.


Add the plugin to your composer.json by using the following line:

"codific/zf2-brute-force-protection": "dev-master"

and run

php composer.phar update


  1. Import the user_failed_login.sql file to your database
  • If you are using a local.php configuration file stored in data/local.php then the plugin works as it is.
  • Otherwise please set the $databaseConfig array.
$databaseConfig = array(
     'host' => 'localhost',
     'port' = > 3306,
     'dbname' => 'database_name',
     'username' => 'username',
     'password' => 'password');


In the LoginController (or whatever controller is responsible for the login business logic):

Before running the authentication

Before actually running the provided authentication credentials use the following code (or alike) to check whether there are too many requests:

  $delay = \Codific\BruteForce::getLoginDelay();
  if($delay > 0)
      $this->cache->error = "Too Many Requests. Please wait $delay seconds before next try.";
      return $this->redirect()->toUrl("/admin/login/index");

You can also return HTTP code 429 that is probably a more systematic solution:

  if(\Codific\BruteForce::getLoginDelay() > 0)
      return $this->getResponse()->setStatusCode(429);

If the login fails

If the login with the provided authentication credentials fails, then add the failed attempt via the following code:


That's it.