Access by Users is restricted when multiple concurrent wrong login attempts are recorded.
To prevent third parties brute forcing a password we implement a lockout system where a combination of a user-account and IP-address is blocked for a set amount of time. Account admins and users will also receive an email when a block takes place with details on which user is being subjected to the potential attack, from which IP-address this attack is originating, and what the duration of the block is (see below for a listing of steps and their lockout time).
The timeout is governed by a number of steps, escalating for every consecutive wrong attempt made. Note that on one successful login all previous invalid attempts will be removed from consideration. This means that every correct login resets the timeout counter. See below for the defined steps.
In the case of reaching the final attempt the IP-address can only be re-allowed by contacting firstname.lastname@example.org@email@example.com and asking for a manual reset.
When an IP has been specifically whitelisted through the Host Restrictions it will never be blocked through the lockout mechanism. This means that a whitelisted IP will never cause a lockout to occur. Previously issued bans will also be disregarded, re-activating the IP.
The easiest way to prevent brute forcing a password is to blacklist the offending IP-address in the host restrictions. See Host Restrictions for more information on how to do this.