Why does Brute Force Protection matter for Laravel security?

Failing to address brute force protection can leave your Laravel application vulnerable to attacks. StackShield continuously monitors for this issue so you can catch it before attackers do.

How do I fix a Brute Force Protection issue?

This is rated as an easy fix, typically taking 15 minutes. See the full documentation above for step-by-step instructions.

How to Fix Brute Force Protection in Laravel

What This Check Detects

Tests if login page blocks repeated failed login attempts.

Full Documentation

What is Brute Force Protection?

Brute force attacks involve automated attempts to guess user credentials by systematically trying different combinations of usernames and passwords. Without proper protection, attackers can eventually gain unauthorized access to user accounts.

Security Impact

Severity: High

Unauthorized account access
Credential stuffing attacks
Resource exhaustion
Potential data breaches

How to Fix

1. Use Laravel's Built-in Throttling

Laravel provides excellent throttling middleware out of the box. Apply it to your authentication routes:

// routes/web.php
Route::post('/login', [LoginController::class, 'login'])
    ->middleware('throttle:5,1'); // 5 attempts per minute

2. Configure Fortify Throttling (if using Laravel Fortify)

// config/fortify.php
'limiters' => [
    'login' => 'login',
],

// app/Providers/FortifyServiceProvider.php
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\RateLimiter;

RateLimiter::for('login', function (Request $request) {
    $email = (string) $request->email;

    return Limit::perMinute(5)->by($email.$request->ip());
});

3. Add Account Lockout

Implement temporary account lockouts after repeated failed attempts:

use Illuminate\Validation\ValidationException;
use Illuminate\Support\Facades\RateLimiter;

protected function ensureIsNotRateLimited(Request $request)
{
    if (! RateLimiter::tooManyAttempts($this->throttleKey($request), 5)) {
        return;
    }

    event(new Lockout($request));

    $seconds = RateLimiter::availableIn($this->throttleKey($request));

    throw ValidationException::withMessages([
        'email' => trans('auth.throttle', [
            'seconds' => $seconds,
            'minutes' => ceil($seconds / 60),
        ]),
    ]);
}

4. Monitor and Log Failed Attempts

use Illuminate\Support\Facades\Log;

protected function sendFailedLoginResponse(Request $request)
{
    Log::warning('Failed login attempt', [
        'email' => $request->email,
        'ip' => $request->ip(),
        'user_agent' => $request->userAgent(),
    ]);

    throw ValidationException::withMessages([
        'email' => [trans('auth.failed')],
    ]);
}

Verification Steps

Attempt to log in with incorrect credentials 5 times
Verify you receive a throttle error message
Wait for the throttle period to expire
Confirm you can attempt login again
Check logs for failed attempt records

Additional Security Measures

Implement CAPTCHA after multiple failed attempts
Use two-factor authentication (2FA)
Monitor for distributed brute force attacks
Implement IP-based blocking for repeated offenders
Use password complexity requirements

Related Issues

API Rate Limiting
CSRF Protection
Session Configuration

Related Security Checks

API Rate Limiting

Checks if API endpoints implement proper rate limiting.

Easy fix 15 minutes

CSRF Protection

Verifies CSRF token implementation on forms and APIs.

Easy fix 10 minutes