Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Varbase FAQs 9.2.1 Minor update available for module varbase_faqs (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Login Security

17,382 sites Security covered
View on drupal.org

The Login Security module enhances Drupal's login security by allowing administrators to limit failed login attempts, block IP addresses, and disable default error messages to protect against brute-force attacks and account guessing. It also provides notifications for suspicious login activity and can display the last login timestamp to users.

Login Security module improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.

With Login Security module, a site administrator may protect and restrict access by adding access control features to the login forms (default login form in /user and the block called "login form block"). Enabling this module, a site administrator may

  • limit the number of invalid login attempts before blocking accounts,
  • or deny access by IP address, temporarily or permanently.

A set of notifications by email or Nagios may help the site administrator to know when something is happening with the login form of their site:

  • password and account guessing,
  • bruteforce login attempts or just unexpected behaviour with the login operation.

For alternative controls, Login Security can disable Drupal core's login error messages, obfuscating the reason for the login failure. This could make it harder for an attacker to discover whether the account even exists.

On login, users can optionally see their last login or access timestamp.

For a lighter alternative, check out Flood control.

Activity

Total releases
5
First release
Jan 2026
Latest release
5 months ago
Releases (12 mo)
5 ▲ from 0
Maintenance
Active

Release Timeline

Releases

Version Type Release date
2.0.7 Stable Feb 17, 2026
2.0.6 Stable Feb 17, 2026
2.0.5 Stable Feb 17, 2026
2.0.4 Stable Feb 17, 2026
2.0.3 Stable Jan 29, 2026