Flood control
Provides an administration interface for Drupal's hidden flood control variables and enables site administrators to unblock IP addresses and user IDs that are blocked after multiple failed login attempts.
flood_control
Install
composer require 'drupal/flood_control:^3.0'
composer require 'drupal/flood_control:^2.3'
Overview
Flood Control is an essential security administration module that exposes Drupal's hidden flood protection settings through a user-friendly interface. Drupal core includes built-in protection against brute force attacks on user accounts by tracking failed login attempts and temporarily blocking further attempts when thresholds are exceeded. However, these settings are not accessible through the standard admin UI.
This module provides two main administrative interfaces: a settings page where administrators can configure the thresholds and time windows for login attempt limits, and a flood unblock page where administrators can view and remove entries from Drupal's flood table. This is particularly useful when legitimate users get locked out due to forgotten passwords or when testing accounts.
The module also includes an IP allowlist feature that allows specific IP addresses or IP ranges to bypass flood protection entirely. This is useful for trusted networks, automated testing systems, or administrative access from known locations. Additionally, if the Contact module is enabled, Flood Control extends its configuration capabilities to include contact form submission limits.
Features
- Configure IP-based login attempt limits and time windows to protect against brute force attacks from single IP addresses
- Configure username-based login attempt limits and time windows to protect individual user accounts
- View all entries in Drupal's flood table with filtering capabilities by identifier and blocked status
- Remove specific flood entries to unblock IP addresses or user accounts that have been locked out
- IP allowlist feature to exempt specific IP addresses or IP address ranges from flood protection
- Configure contact form submission limits when the Contact module is enabled
- Drush commands for command-line management of flood entries
- Migration support for Drupal 7 flood control settings
- Integration with Smart IP module for geographic location display of IP addresses (optional)
Use Cases
Unblocking a legitimate user locked out after forgotten password attempts
When a user forgets their password and exceeds the failed login limit, they become locked out. An administrator can navigate to Administration > People > Flood Unblock, filter by the user's IP address or username, select the relevant flood entries, and click 'Remove selected items' to immediately restore login access.
Configuring stricter security for high-value sites
For sites handling sensitive data, administrators can reduce the login attempt limits (e.g., to 3 attempts) and extend the time windows (e.g., to 24 hours) at Administration > Configuration > People > Flood control to provide stronger brute force protection.
Whitelisting office or VPN IP addresses
Organizations can add their office IP ranges or VPN exit points to the Allowed IPs list to ensure that employees are never locked out due to flood protection, while maintaining security for external access attempts.
Emergency unblock via Drush during an incident
During a security incident or after a false positive lockout affecting multiple users, administrators can use 'drush flood_unblock:all' to quickly clear all flood entries, or 'drush flood_unblock:ip <address>' for targeted unblocking without accessing the web interface.
Preventing contact form spam abuse
Sites experiencing contact form spam can configure lower submission limits and longer time windows for the contact form flood protection to reduce automated abuse while still allowing legitimate contact.
Debugging authentication issues
When troubleshooting login problems, administrators can view the Flood Unblock page filtered to show only blocked entries to quickly identify if flood protection is causing access issues for specific users or IP addresses.
Tips
- The default Drupal settings (5 attempts in 1 hour for IP, 5 attempts in 6 hours for username) are reasonable for most sites, but high-security sites should consider lower limits
- Setting the username time window to 'Infinite' provides maximum protection but requires manual intervention to unblock affected users
- The IP allowlist supports ranges, which is more efficient than listing many individual IPs for large networks
- Use the 'Only blocked' filter on the Flood Unblock page to quickly find entries that are actually causing login issues
- The Drush commands are useful for automated recovery scripts or when the web interface is inaccessible
- Flood entries automatically expire based on their time window, so manual cleanup is only needed for immediate unblocking
Technical Details
Admin Pages 2
/admin/config/people/flood-control
Configure the flood protection thresholds and time windows that control how Drupal handles failed login attempts. This page allows administrators to set limits for both IP-based and username-based flood protection, configure an allowlist of trusted IP addresses, and optionally configure contact form submission limits.
/admin/people/flood-unblock
View and manage entries in Drupal's flood table. This page displays all recorded failed login attempts with their IP addresses, user IDs, event types, timestamps, and expiration times. Administrators can filter the list and selectively remove entries to unblock users or IP addresses.
Permissions 2
Hooks 2
hook_migration_plugins_alter
Alters the d7_contact_settings migration plugin to include flood control threshold settings from Drupal 7.
hook_migrate_prepare_row
Prepares migration row data by fetching contact_threshold_limit and contact_threshold_window variables from the Drupal 7 source database.
Drush Commands 2
drush flood_unblock:ip <ip_address>
Clears all flood entries for a specific IP address across all flood event types.
drush flood_unblock:all
Clears all flood entries in the system for all event types. Use with caution as this removes all flood protection history.
Troubleshooting 5
Check the Flood Unblock page (/admin/people/flood-unblock) for blocked entries matching the user's IP address or username. If found, select and remove the entries to unblock them. Consider adding frequently affected IP addresses to the allowlist if they are from trusted sources.
This typically occurs when using an alternative flood backend (like Redis or Memcache) instead of the database. The Flood Unblock UI requires the database flood backend. Check your services.yml for any flood service overrides.
Ensure you have selected the checkbox for each entry you want to remove before clicking the remove button. The form validates that at least one item is selected.
Ensure IP addresses are in the correct format: single IPs as XXX.XXX.XXX.XXX, ranges as XXX.XXX.XXX.YYY-XXX.XXX.XXX.ZZZ. The lower IP in a range must be numerically less than the upper IP. Each entry should be on a separate line.
Contact form flood settings only appear when the core Contact module is enabled. Enable the Contact module first if you need to configure these settings.
Security Notes 5
- The 'Administer flood unblock settings' permission is marked as restricted and should only be granted to fully trusted administrator roles, as it controls security-critical settings
- Adding IP addresses to the allowlist completely bypasses flood protection for those IPs - use sparingly and only for truly trusted networks
- Removing flood entries immediately allows login attempts from the affected IP/user - verify the legitimacy of unblock requests
- Setting very high limits or short time windows weakens brute force protection - balance usability with security requirements
- The flood table may contain sensitive information about failed login patterns - restrict access to the Flood Unblock page appropriately