Download the PHP package ali1/cakephp-bruteforce without Composer

CakePHP Brute Force Plugin

A CakePHP plugin for easy drop-in Brute Force Protection for your controller methods.

Component Wrapper for Ali1/BruteForceShield

Features

• IP address-based protection
• Uses the Cache class to store attempts so no database installation necessary
• Logs blocked attempts (uses CakePHP Logs)
• Does not count re-attempts with same challenge details (e.g. if a user tries the same username/password combination a few times)
• Can block multiple attempts at the same username earlier than the normal limit (to give users a chance to enter the correct username if they have been trying with the wrong one)
• Can be applied in AppController::initialize for simpler set up when authentication plugins are used
• Throws catchable exception which can optionally be caught

Requirements

• Composer
• CakePHP 4.0+
• PHP 7.2+

Installation

In your CakePHP root directory: run the following command:

Then in your Application.php in your project root, add the following snippet:

or you can use the following shell command to enable to plugin in your bootstrap.php automatically:

Basic Use

Load the component: ``

Apply protection ($this->Bruteforce->validate must come before actually verifying or actioning the user submitted data)

``

Configuration Options

The third argument for validate is the \Ali1\BruteForceShield\Configuration object.

Instructions on configuring Brute Force Protection can be found here.

Usage

For a method for username / password BruteForce

Prevent URL based brute force

Non-form data can also be Brute Forced

``

With user plugins (e.g. CakeDC/Users)

Although not ideal, when using plugins that you do not wish to extend or modify, you can safely place the validate method in AppController.php initialize method, since this will run prior to user verification within the plugin.