Flood Control¶
Table of contents¶
Introduction¶
Drupal's built-in flood protection blocks login attempts after repeated failures but provides no interface to configure limits or unblock affected users. Flood Control fills this gap by offering an intuitive admin UI for managing brute-force protection settings and unlocking blocked IPs and user IDs.
The module extends Drupal core's flood API with:
- A configuration form for login attempt limits and time windows.
- An IP allowlist that exempts trusted addresses from flood protection.
- A management interface to view, filter and remove blocked entries from
the
floodtable. - Contact form flood protection (when the Contact module is enabled).
- Drush commands for command-line flood management.
For a full description of the module, visit the project page.
Submit bug reports and feature suggestions, or track changes in the issue queue.
Requirements¶
- Drupal 10.2+ or Drupal 11
- No additional contributed modules required
Installation¶
Install as you would normally install a contributed Drupal module. For further information, see Installing Drupal Modules.
Configuration¶
- Navigate to Administration > Configuration > People > Flood Control
(
/admin/config/people/flood-control). - Under "Login", configure:
- IP login limit: The number of failed login attempts allowed from a single IP address.
- IP time window: The time period in which IP login attempts are counted.
- Username login limit: The number of failed login attempts allowed for a single username.
- Username login time window: The time period in which username login attempts are counted. Includes an "Infinite" option to permanently block a username after exceeding the limit.
- Under "Flood control", configure the Allowed IPs textarea to exempt trusted IP addresses or ranges from flood protection. Enter one per line:
- Single IP:
192.168.1.100 - IP range:
192.168.1.1-192.168.1.255 - If the Contact module is enabled, a "Contact forms" section appears to configure the email sending limit and time window.
- Click "Save configuration".
Usage¶
Flood unblock interface¶
Drupal prevents brute force attacks by refusing login attempts after
repeated failures. These attempts are recorded in the flood database
table. The module tracks the following events:
- User failed login IP: Failed login attempts per IP address.
- User failed login user: Failed login attempts per username.
- User failed http login: Failed HTTP authentication attempts.
- User failed password request IP: Password reset requests per IP.
- User failed password request user: Password reset requests per user.
Navigate to Administration > People > Flood Unblock
(/admin/people/flood-unblock) to manage blocked entries. This page is
also available as a tab on the People administration page. The interface
allows administrators to:
- View all entries in the flood table with their identifier, status, event type, timestamp and expiration.
- Filter entries by identifier (IP address or user ID), event type, or blocked status.
- Sort the table by column.
- Navigate through results with pagination.
- Select and remove individual entries to unblock specific IPs or user IDs.
If the Smart IP module is installed, the identifier column also displays the geographic location of IP addresses.
This page requires the "Unblock blocked IPs" permission.
Drush commands¶
Flood Control provides Drush commands for command-line flood management:
# Remove all flood entries for a specific IP address
drush flood_unblock:ip 192.168.1.100
# Remove all flood entries in the system
drush flood_unblock:all
API¶
The module provides a helper function for retrieving the IP allowlist programmatically:
// Returns an array with 'addresses' and 'ranges' keys.
$allowed_ips = flood_control_get_whitelist_ips();
This delegates to FloodWhiteList::getAllowedlistIps() and can be useful
for custom modules that need to check whether an IP is on the allowlist.