Summary: Protect your wiki from brute-force login attempts
Version: pmwiki-2.3.34
Prerequisites: PmWiki 2.3.13
Maintainer: Petko
License: GPLv2+
Categories: Security
Users: (view? / edit)


Protect your wiki from brute-force login attempts

This is a short documentation on how to implement the new function $FailedLoginsFunction available from PmWiki 2.3.13.

Your function can store information on failed logins from your users, and prevent them from trying to login indefinitely, as in a brute force attack.

This page only documents the PmWiki interface, you have complete freedom how to implement the storage.


Add to local customization, or to a recipe, such code:

$FailedLoginsFunction = 'MyCustomFailedLoginsFunction';

function MyCustomFailedLoginsFunction($authid, $increment = 0) {

  if($increment) { 
    // called after a failed password attempt,
    // increment and save the number of failures, return

  // called before checking a password, returns whether user
  // should be allowed to *try* to sign in
  // e.g.:
  if($count_failed_in_10_minutes > 5) return false;
  else return true;

Your function will be called with one only argument, the username, before a login attempt. It should return true if the user should be allowed to try to login, false otherwise. You need to implement the counting and storage functions that "remember" the number of failures. If it a user is not be allowed to sign in, you may want to notify them to try again later, say via the $MessagesFmt array.

If a login fails, your function will be called with 2 arguments, the username as first argument, and 1 as a second argument. Your function should then increment and store the number of failures for that user.


  • Recent recommendations from the UK Cyber Security service suggests to restrict login tries after 5 failures every 10 minutes.
  • It is not recommended to store the number of tries in a $_SESSION variable, as an attacker can easily discard session information.
  • If you store the IP address with the failed requests, an attacker with access to multiple IP addresses will be able to try more passwords.
  • If you don't store the IP address with the failed requests, an attacker could easily lock a user out by continuously making requests.

To do / some day / maybe

Write an actual working implementation.

Change log / Release notes

  • 20221020: documentation page written
  • 2.3.13 : configuration added to AuthUser

See also


Written and maintained by Petko


See discussion at FailedLoginFunction-Talk?

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.