Grav-plugin-admin: Login page vulnerable to brute force attack

I would just use a single error message stating something like: Incorrect username or password. Those changes (forgotten password string change included) would make it impossible to guess usernames in either of the forms.

I wouldn't limit access by IPs, but adding captcha as an option isn't a bad idea.

I don't really like the captcha option, but if it must be added, could at least we have it active only after a few failed attempts (like 3, or something)?

Delays between log-in attempts - preferably increasing, perhaps exponentially, with each attempt up to a certain limit - effectively block brute-force attacks. The delays and limits could be set as parameters.

The forgot password functionality has been modified in the beta version of the login plugin. It only takes email addresses now.

Also, edited to print the same message whether the email exists or not, in https://github.com/getgrav/grav-plugin-login/commit/3e7c20fd66639123cfb2894d9298d4ccfb861af9

Logging failed attemps would be nice too for fail2ban etc :)

What about a way to limit the number of incorrect login attempts in a certain time period?

The Login plugin has now a security section in its configuration to control that: https://github.com/getgrav/grav-plugin-login/commit/590f188189c8453afb5992e7ec385795336ee711

Would still be nice to even have the OPTION for a captcha. Also, the flood protection doesn't seem to work, at all.
Grav never stops you from entering any more passwords, even with the security features enabled. Neither does it extend the time between login tries.

Am I doing something wrong or is the plugin simply broken?

Actually the Login plugin brute force protection does not apply to Admin (my bad in writing the opposite up here). In Admin, you have the option to add webserver-level protection (e.g. htaccess/htpasswd in Apache) and also limit by IP range, until this feature lands in Admin as well.

I see. Yes i guess that is the sensible thing to do until then.
Currently, this seems like a glaring security flaw, if users don't get at least a warning that they should secure the Admin page.

Also, as already suggested: a warning for failed login attempts in the dashboard would be very nice.

Hoping for an update on this soon :)

EDIT: the .htaccess solution pretty much kills all css on the admin page. Which more or less renders it unusable.

Currently, the best you can do for better Admin security is to hide the admin page by renaming it, like so:
https://learn.getgrav.org/admin-panel/faq#custom-admin-url
I really hope a login protection for admin comes soon, as this prevents me from using it on a corporate site.

Actually the Login plugin brute force protection does not apply to Admin (my bad in writing the opposite up here). In Admin, you have the option to add webserver-level protection (e.g. htaccess/htpasswd in Apache) and also limit by IP range, until this feature lands in Admin as well.

Brute force protection seems to be working on my admin login page. It's also in the docs. Is this comment outdated or am I misunderstanding?

Also does anyone know how to get Grav to work with fail2ban?

My alternate solution only works if you have FTP access to all your servers/hosting.

You can edit the .htaccess to only allow your specific IP address to read the /admin/ folder. Any other IP (and subsequent bots) will not be able to load any of the folder contents.

I used to use this method to disallow all, but my own IP address... to check if a build website was working, before launching it. This was before you could run a local webserver. Maybe this still works for those few users that are afraid and want total control from only their IP.