Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). Varbase Media Header 9.2.1 Minor update available for module varbase_media_header (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

This module enhances website security by implementing a hybrid approach to protect against brute force attacks and malicious bots. It uses immediate local detection and blocking by default, while also asynchronously sharing threat intelligence with a global network. This crowd-sourced data can then be used to proactively block known bad IP addresses before they even reach your site.

Reborn for Modern Drupal (D10 & D11)

Crowd Bruteforce Protection (CBP) is back and completely re-engineered for the modern web. Just like the original vision, this module connects us all together like one big Drupal installation. When one site detects a threat, the entire crowd gets smarter.

The 2.0.x release is a complete rewrite from the ground up, designed specifically for Drupal 10 and 11. It utilizes a hybrid security model that combines local reactive protection with asynchronous crowd intelligence.

How it Works: The Hybrid Model

We believe security shouldn't slow down your site. The new CBP uses a "Local First, Cloud Second" approach:

  1. Reactive Defense (Local): If an attacker hammers your login form, CBP detects it immediately using local thresholds. It bans the bad guy instantly on your server to save your resources.
  2. Asynchronous Reporting (Queue): Instead of making your users wait for an API call, we queue the report. A background worker quietly sends the threat data to our central intelligence engine.
  3. Crowd Intelligence (Global): If the crowd confirms this IP is a global threat, the module can proactively ban it before it even touches your login page (depending on your configuration).

Key Features (2.0.x)

  • Smart Flood Control: Decorates Drupal's core flood service to detect login attacks with zero latency.
  • Vulnerability Scanner: Intelligently monitors 404 errors. It ignores internal broken links (admin errors) but flags suspicious behavior—like bots scanning for wp-login.php or old exploit paths.
  • Protocol Mismatch Detection: Smart enough to distinguish between a real user following a bad link and a bot retrying non-SSL paths.
  • Fail-Open Design: If the API server goes down, your site stays up. Your local protection continues to work 100% of the time.
  • Performance Focused: Heavy lifting is done via Queue Workers to prevent thread exhaustion during attacks.

Legacy Version (Drupal 7)

The 7.x-1.x branch of this module was a pioneer in crowd-sourced security but is now end-of-life.
The code and functionality described below apply only to the Drupal 7 version and are not compatible with modern Drupal.

Summary of the original D7 functionality:

  • Dependencies: Relied on flood_unblock and flood_control contrib modules.
  • Honeypot Integration: Banned IPs based on Honeypot form failures.
  • StopForumSpam: Integrated external data from StopForumSpam.com.
  • Direct Blocking: Banned IPs instantly upon hitting a strict threshold.
  • Project Status: The original API server was retired in 2020 due to costs. The project is now active again under new maintainership with a sustainable architecture.

Join the Crowd

The more people who install this module, the effective it becomes. We are kicking the bad guys to the curb by sharing intelligence.
Whether you are a small blog or a large enterprise, your participation helps protect the entire Drupal ecosystem.

Installation:

composer require drupal/cbp

Activity

Total releases
2
First release
Jan 2026
Latest release
3 weeks ago
Releases (12 mo)
2 ▲ from 0
Maintenance
Active

Releases

Version Type Release date
2.0.0 Stable Jun 26, 2026
2.0.x-dev Dev Jan 25, 2026